Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Open WebUI: Scheduled automations continue after pending-user deactivation and stored model ACL revocation
Vulnerability Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, execute_automation rehydrated automation owners without rechecking that they were still active or still had features.automations, and check_model_access only enforced private-model grants for the exact user role, allowing deactivated pending users to continue scheduled model execution. This issue is fixed in version 0.10.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
授权机制不恰当
Vulnerability Title
Open WebUI 授权问题漏洞
Vulnerability Description
Open WebUI是Open WebUI团队开源的一个可扩展、功能丰富、用户友好的自托管 WebUI。 Open WebUI 0.10.0之前版本存在授权问题漏洞,该漏洞源于权限验证问题,可能导致已停用的待处理用户继续执行计划模型。以下版本受到影响:0.9.0版本至0.10.0之前版本。
CVSS Information
N/A
Vulnerability Type
N/A