GHSA-m69w-p7m4-585j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m69w-p7m4-585j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m69w-p7m4-585j/GHSA-m69w-p7m4-585j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m69w-p7m4-585j
- Aliases
-
- CVE-2026-45667
- Published
- 2026-05-14T20:28:02Z
- Modified
- 2026-05-19T16:15:13.941190931Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)
- Details
-
Summary
GET
/api/v1/memories/efis accessible without authentication and executesrequest.app.state.EMBEDDING_FUNCTION(...). This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used. Code reference:backend/open_webui/routers/memories.py(@router.get("/ef") -> callsrequest.app.state.EMBEDDING_FUNCTION("hello world")).Details
GET
/api/v1/memories/efis reachable without authentication and triggers request.app.state.EMBEDDING_FUNCTION("hello world"). This crosses an intended security boundary by allowing unauthenticated users to invoke potentially expensive embedding computation and/or paid upstream embedding APIs.PoC
- Start Open WebUI in default configuration (no special env hardening; default ENABLE_MEMORIES is true).
- From an unauthenticated client (no cookies/Authorization header), call:
curl -i http://<host>:<port>/api/v1/memories/ef
- Observe the server performs embedding generation and returns a response like:
- HTTP 200 with JSON containing the result.
How it can be abused / attacker actions:
- Send repeated requests to
/api/v1/memories/efto:- consume CPU/GPU resources (DoS)
- generate sustained outbound usage to embedding providers if configured (cost + rate-limit exhaustion)
- degrade latency/availability for legitimate users
Impact
If embeddings are configured to use paid/remote providers (OpenAI/Azure/etc), an attacker can generate unlimited requests and incur charges.
Resolution
Fixed in commit e5035ea31, first released in v0.8.0 (Feb 2026). The
/api/v1/memories/efroute was removed entirely. It was a diagnostic/debug-style endpoint that hard-coded"hello world"through the embedding function without any authentication dependency; there was no legitimate caller that depended on it, so deletion was the cleaner fix than retrofitting auth. Users on>= 0.8.0are not affected. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2026-05-15T22:16:56Z", "github_reviewed_at": "2026-05-14T20:28:02Z", "cwe_ids": [ "CWE-862" ] }- References
-
- https://github.com/open-webui/open-webui/security/advisories/GHSA-m69w-p7m4-585j
- https://nvd.nist.gov/vuln/detail/CVE-2026-45667
- https://github.com/open-webui/open-webui/commit/e5035ea31e179977e805a7032c979ff59a71860a
- https://github.com/open-webui/open-webui
- https://github.com/open-webui/open-webui/releases/tag/v0.8.0
Affected packages
PyPI / open-webui
Package
- Name
- open-webui
- View open source insights on deps.dev
- Purl
- pkg:pypi/open-webui
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.8.0