Skip to main content

CVE-2026-0767

CVE IDCVE-2026-0767
Vendor DispositionRejected — not a vulnerability
Published2026-01-23
Issuing CNAZero Day Initiative (ZDI-26-033)
Claimed SeverityMedium (CVSS 6.5 — CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWECWE-319 (Cleartext Transmission of Sensitive Information)

What the CVE Claims​

User credentials (email and password) submitted to Open WebUI's login endpoint are transmitted in cleartext if the application is deployed over plain HTTP rather than HTTPS, allowing a network-adjacent attacker to intercept them.

Why This Is Not a Vulnerability​

This describes a property of the HTTP protocol, not a defect in Open WebUI. An unencrypted HTTP request is, by definition, not encrypted — this applies to every web application ever built.

Open WebUI is a backend application that exposes an HTTP interface. Whether that interface is exposed directly, behind a TLS-terminating reverse proxy, behind a load balancer with TLS, or via a managed platform, is the operator's deployment decision. The application does not, and is not expected to, mandate transport-layer configuration. The description is functionally equivalent to stating "if the operator deploys Apache HTTPD without HTTPS, login credentials are sent in cleartext" — a true statement that does not constitute a vulnerability in Apache.

CVSS Accuracy​

The CVSS vector itself acknowledges the impracticality: AV:A (Adjacent Network) and AC:H (High Attack Complexity) reflect that the scenario requires both an unencrypted deployment and a network-adjacent attacker positioned to intercept traffic. In any conventional production deployment behind TLS termination, the scenario does not arise.

Applicable Security Policy Rules​

  • Rule 1: Expected protocol behavior is not a vulnerability. HTTP's cleartext property is the textbook example.
  • Rule 6: The scenario manifests only when the operator deploys without TLS — not a property of Open WebUI's default configuration.
  • Rule 7: The report mischaracterizes a deployment-layer property as an application-layer defect.

Impact to Users​

No action required, provided your deployment uses TLS. If you are running Open WebUI over plain HTTP in production, configure TLS termination via a reverse proxy — standard deployment hygiene for any web application, not a response to this CVE. See our HTTPS and Reverse Proxy Configuration guide.

References​

This content is for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. Open WebUI is provided "as is." See your license for applicable terms.