GHSA-m69w-p7m4-585j: Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)
Summary
Open WebUI had an unauthenticated endpoint at GET `/api/v1/memories/ef` that triggered embedding generation (the process of converting text into numerical vectors for AI understanding), allowing anyone to make requests without logging in. An attacker could repeatedly call this endpoint to waste computing resources, rack up charges if a paid embedding service like OpenAI was configured, or degrade the service for legitimate users.
Solution / Mitigation
Fixed in commit e5035ea31, first released in v0.8.0 (Feb 2026). The `/api/v1/memories/ef` route was removed entirely because it was a debug-style endpoint with no legitimate use. Users should upgrade to version 0.8.0 or later.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-m69w-p7m4-585j
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%