Description
A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Patch
AI Analysis

Impact

A flaw in the generic_exception_handler function of wandb OpenUI’s backend/openui/server.py allows an attacker to manipulate the argument key and trigger detailed error messages that expose internal information. The vulnerability is classified as CWE-200 and CWE-209 and has a CVSS score of 5.1, indicating moderate severity. When exploited, it can reveal configuration details, stack traces or other sensitive data that may be leveraged to further compromise the system.

Affected Systems

The affected product is wandb OpenUI, versions up to 1.0 and 3.5-turb. The issue resides in the backend component that handles API status errors and is exposed to any local client that can interact with the API.

Risk and Exploitability

The exploit is publicly disclosed and requires the attacker to have access to the same local network as the target. While the CVSS score shows moderate risk, the lack of an EPSS score and absence from the KEV list suggests that widespread exploitation has not yet been observed. Nevertheless, because the payload is readily available, any host that accepts local API traffic is considered at risk for accidental or malicious information leakage. The primary attack vector is the manipulation of request parameters over the local network connection to the OpenUI service.

Generated by OpenCVE AI on March 28, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wandb OpenUI to a version released after 1.0 or 3.5-turb that contains the fix for the generic_exception_handler issue
  • If an upgrade is not immediately possible, isolate the OpenUI service from untrusted network segments by applying firewall rules or network segmentation to prevent local users from reaching the vulnerable API endpoints
  • Monitor application logs for ERROR entries originating from generic_exception_handler and investigate any suspicious activity promptly

Generated by OpenCVE AI on March 28, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wandb
Wandb openui
Vendors & Products Wandb
Wandb openui

Sat, 28 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title wandb OpenUI APIStatusError server.py generic_exception_handler information exposure
Weaknesses CWE-200
CWE-209
References
Metrics cvssV2_0

{'score': 2.7, 'vector': 'AV:A/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wandb Openui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T17:41:13.509Z

Reserved: 2026-03-27T13:48:00.731Z

Link: CVE-2026-4994

cve-icon Vulnrichment

Updated: 2026-03-30T17:41:07.851Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-28T10:16:32.110

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-4994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:47Z

Weaknesses