CVE-2026-28786

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28786

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28786.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28786

Aliases

GHSA-vvxm-vxmr-624h

Published

2026-03-26T23:37:25.673Z

Modified

2026-04-02T13:22:22.201496Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`

Details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including the server's absolute DATA_DIR path — is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue.

Database specific

{
    "cwe_ids": [
        "CWE-209",
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28786.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type

GIT

Repo

https://github.com/open-webui/open-webui

Events

Introduced

Fixed

9c9a18d6d4311ff246d5d1345d94581bf25c604b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.6"
        }
    ]
}

Affected versions

v0.*

v0.1.102

v0.1.103

v0.1.104

v0.1.105

v0.1.106

v0.1.107

v0.1.108

v0.1.109

v0.1.110

v0.1.111

v0.1.112

v0.1.113

v0.1.114

v0.1.115

v0.1.116

v0.1.117

v0.1.118

v0.1.119

v0.1.120

v0.1.121

v0.1.122

v0.1.123

v0.1.124

v0.1.125

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.3.0

v0.3.1

v0.3.10

v0.3.11

v0.3.12

v0.3.13

v0.3.14

v0.3.15

v0.3.16

v0.3.17

v0.3.18

v0.3.19

v0.3.2

v0.3.20

v0.3.21

v0.3.22

v0.3.23

v0.3.24

v0.3.25

v0.3.26

v0.3.27

v0.3.28

v0.3.29

v0.3.3

v0.3.30

v0.3.31

v0.3.32

v0.3.33

v0.3.34

v0.3.35

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.5.0

v0.5.1

v0.5.10

v0.5.11

v0.5.12

v0.5.13

v0.5.14

v0.5.15

v0.5.16

v0.5.17

v0.5.18

v0.5.19

v0.5.2

v0.5.20

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.10

v0.6.11

v0.6.12

v0.6.13

v0.6.14

v0.6.15

v0.6.16

v0.6.17

v0.6.18

v0.6.19

v0.6.2

v0.6.20

v0.6.21

v0.6.22

v0.6.23

v0.6.24

v0.6.25

v0.6.26

v0.6.27

v0.6.28

v0.6.29

v0.6.3

v0.6.30

v0.6.31

v0.6.32

v0.6.33

v0.6.34

v0.6.35

v0.6.36

v0.6.37

v0.6.38

v0.6.39

v0.6.4

v0.6.40

v0.6.41

v0.6.42

v0.6.43

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9

v0.7.0

v0.7.1

v0.7.2

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28786.json"