PYSEC-2026-1733

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/open-webui/PYSEC-2026-1733.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1733
Aliases
Published
2026-07-07T14:34:53.587900Z
Modified
2026-07-07T17:47:07.588066033Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Open WebUI Uncontrolled Resource Consumption vulnerability
Details

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.

References

Affected packages

PyPI / open-webui

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.3.32

Affected versions

0.*
0.1.124
0.1.125
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17.dev2
0.3.17.dev3
0.3.17.dev4
0.3.17.dev5
0.3.17
0.3.18
0.3.19
0.3.20
0.3.21
0.3.22
0.3.23
0.3.24
0.3.25
0.3.26
0.3.27.dev1
0.3.27.dev2
0.3.27.dev3
0.3.27
0.3.28
0.3.29
0.3.30.dev1
0.3.30.dev2
0.3.30
0.3.31.dev1
0.3.31
0.3.32

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/open-webui/PYSEC-2026-1733.yaml"