Detections
Analytics

SCA: security update for open-webui (GHSA-7r82-qhg4-6wvj)

high Tenable Self-Hosted Container Security Plugin ID 441606

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior
 to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an
 overwrite query parameter (default: True). It performs no authorization check on whether the calling user
 owns or has write access to the target collection. When overwrite=True, save_docs_to_vector_db calls
 VECTOR_DB_CLIENT.delete_collection() on the target collection before writing new content. This
 vulnerability is fixed in 0.9.0. (CVE-2026-44554)

Solution

Update the open-webui library and its related packages to version 0.9.0 or later.

See Also

https://github.com/advisories/GHSA-7r82-qhg4-6wvj

Plugin Details

Severity: High

ID: 441606

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/9/2026

Updated: 5/19/2026

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

CVSS Score Source: CVE-2026-44554

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/8/2026

Vulnerability Publication Date: 5/8/2026

Reference Information

CVE: CVE-2026-44554

cwe: CWE-862