github · Classic298 · Jun 12, 2026
diff --git a/advisories/unreviewed/2026/01/GHSA-vh96-p962-544h/GHSA-vh96-p962-544h.json b/advisories/unreviewed/2026/01/GHSA-vh96-p962-544h/GHSA-vh96-p962-544h.json
@@ -1,24 +1,46 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vh96-p962-544h",
-  "modified": "2026-01-23T06:31:24Z",
+  "modified": "2026-01-23T06:31:32Z",
   "published": "2026-01-23T06:31:24Z",
   "aliases": [
     "CVE-2026-0767"
   ],
-  "details": "Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259.",
+  "summary": "[DISPUTED BY VENDOR] Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability",
+  "details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability in Open WebUI. The claim is that login credentials are sent in cleartext if the operator deploys over plain HTTP instead of HTTPS — a property of the HTTP protocol and of the operator's deployment choice, not a defect in the application. The advisory's own CVSS vector (AV:A, AC:H) reflects that it requires both an unencrypted deployment and a network-adjacent attacker. Out of scope per the Open WebUI security policy (Rules 1, 6, 7, 9). The corresponding report was filed via the project's GHSA channel (GHSA-77qj-pwfr-5fh7) and closed as out-of-scope; the CVE was published by ZDI in disregard of that vendor disposition. A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2026-0767/\n\n---\n\nOpen WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": ""
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0767"
     },
+    {
+      "type": "WEB",
+      "url": "https://docs.openwebui.com/security/vendor-dispositions/cve-2026-0767"
+    },
     {
       "type": "WEB",
       "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-033"