{"data":{"id":"2f99c8fe-d244-4acc-9e9d-169f8b8e38f2","title":"GHSA-m69w-p7m4-585j: Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)","summary":"Open WebUI had an unauthenticated endpoint at GET `/api/v1/memories/ef` that triggered embedding generation (the process of converting text into numerical vectors for AI understanding), allowing anyone to make requests without logging in. An attacker could repeatedly call this endpoint to waste computing resources, rack up charges if a paid embedding service like OpenAI was configured, or degrade the service for legitimate users.","solution":"Fixed in commit e5035ea31, first released in v0.8.0 (Feb 2026). The `/api/v1/memories/ef` route was removed entirely because it was a debug-style endpoint with no legitimate use. Users should upgrade to version 0.8.0 or later.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-m69w-p7m4-585j","publishedAt":"2026-05-14T20:28:02.000Z","cveId":"CVE-2026-45667","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["open-webui@<= 0.7.2 (fixed: 0.8.0)"],"affectedVendors":[],"affectedVendorsRaw":["Open WebUI","OpenAI","Azure"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T20:28:02.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}