Skip to main content

CVE-2026-0767

CVE IDCVE-2026-0767
Vendor DispositionRejected — not a vulnerability
Published2026-01-23
Issuing CNAZero Day Initiative (ZDI-26-033)
Claimed SeverityMedium (CVSS 6.5 — CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWECWE-319 (Cleartext Transmission of Sensitive Information)

What the CVE Claims

User credentials (email and password) submitted to Open WebUI's login endpoint are transmitted in cleartext if the application is deployed over plain HTTP rather than HTTPS, allowing a network-adjacent attacker to intercept them.

Why This Is Not a Vulnerability

This describes a property of the HTTP protocol, not a defect in Open WebUI. An unencrypted HTTP request is, by definition, not encrypted — this applies to every web application ever built.

Open WebUI is a backend application that exposes an HTTP interface. Whether that interface is exposed directly, behind a TLS-terminating reverse proxy, behind a load balancer with TLS, or via a managed platform, is the operator's deployment decision. The application does not, and is not expected to, mandate transport-layer configuration. The description is functionally equivalent to stating "if the operator deploys Apache HTTPD without HTTPS, login credentials are sent in cleartext" — a true statement that does not constitute a vulnerability in Apache.

CVSS Accuracy

The CVSS vector itself acknowledges the impracticality: AV:A (Adjacent Network) and AC:H (High Attack Complexity) reflect that the scenario requires both an unencrypted deployment and a network-adjacent attacker positioned to intercept traffic. In any conventional production deployment behind TLS termination, the scenario does not arise.

Applicable Security Policy Rules

  • Rule 1: Expected protocol behavior is not a vulnerability. HTTP's cleartext property is the textbook example.
  • Rule 6: The scenario manifests only when the operator deploys without TLS — not a property of Open WebUI's default configuration.
  • Rule 7: The report mischaracterizes a deployment-layer property as an application-layer defect.

Impact to Users

No action required, provided your deployment uses TLS. If you are running Open WebUI over plain HTTP in production, configure TLS termination via a reverse proxy — standard deployment hygiene for any web application, not a response to this CVE. See our HTTPS and Reverse Proxy Configuration guide.

References

This content is for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. Open WebUI is provided "as is." See your license for applicable terms.