Skip to content

Commit 9c5dc87

Browse files
committed
Extend ZDI dispute timelines to the CNA-determination stage
Updates the CVE-2026-0765, 0766 and 0767 timelines: records that on 2026-07-06 the CVE Program forwarded the dispute to the issuing CNA (ZDI) for its determination under the record-dispute procedure, that neither ZDI nor the CVE Program responded to the earlier 2026-05-04 dispute, and that Open WebUI's original closure of each report gave the reporter no written explanation at the time, which was a mistake on Open WebUI's part. Drops the "despite the vendor's out-of-scope disposition" note on publication, since no written disposition was issued to the reporter.
1 parent 9441472 commit 9c5dc87

3 files changed

Lines changed: 15 additions & 12 deletions

File tree

docs/security/vendor-dispositions/cve-2026-0765.mdx

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,14 @@ This CVE is formally disputed. The dispute is open and being pursued through the
2222

2323
| Date | Event |
2424
| :--- | :--- |
25-
| 2025-10 | ZDI submits the underlying report through Open WebUI's security channel; Open WebUI closes it as out of scope per its published security policy. |
26-
| 2026-01-23 | ZDI publishes the CVE (ZDI-26-031) despite the vendor's out-of-scope disposition. |
27-
| 2026-05-04 | Open WebUI files a formal dispute with the CVE Program and notifies ZDI directly. Neither responds. |
25+
| 2025-10 | ZDI submits the underlying report through Open WebUI's security channel. Open WebUI closes it as out of scope and not a vulnerability under its published security policy, but does so without giving the reporter a written explanation at the time, which was a mistake on Open WebUI's part. |
26+
| 2026-01-23 | ZDI publishes the CVE (ZDI-26-031). |
27+
| 2026-05-04 | Open WebUI files a formal dispute with the CVE Program and notifies ZDI directly. Neither ZDI nor the CVE Program responds. |
2828
| 2026-06-15 | Open WebUI files another dispute with the CVE Program; the Secretariat directs it to the issuing CNA (ZDI), which owns the record. The request is subsequently closed. |
2929
| 2026-07-02 | With the CNA non-responsive, Open WebUI escalates the dispute a third time, to the CVE Program's Root / Top-Level Root under the CVE Record Dispute Policy (v2.0.0). |
30+
| 2026-07-06 | Under the CVE Program's record-dispute procedure, the Program forwards the dispute to the issuing CNA (ZDI) for its determination. |
3031

31-
As of 2026-07-02 the dispute remains open and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
32+
As of 2026-07-06, the dispute is before the issuing CNA (ZDI) for its determination and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
3233

3334
---
3435

docs/security/vendor-dispositions/cve-2026-0766.mdx

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,14 @@ This CVE is formally disputed. The dispute is open and being pursued through the
2222

2323
| Date | Event |
2424
| :--- | :--- |
25-
| 2025-10 | ZDI submits the underlying report through Open WebUI's security channel; Open WebUI closes it as out of scope per its published security policy. |
26-
| 2026-01-23 | ZDI publishes the CVE (ZDI-26-032) despite the vendor's out-of-scope disposition. |
27-
| 2026-05-04 | Open WebUI files a formal dispute with the CVE Program and notifies ZDI directly. Neither responds. |
25+
| 2025-10 | ZDI submits the underlying report through Open WebUI's security channel. Open WebUI closes it as out of scope and not a vulnerability under its published security policy, but does so without giving the reporter a written explanation at the time, which was a mistake on Open WebUI's part. |
26+
| 2026-01-23 | ZDI publishes the CVE (ZDI-26-032). |
27+
| 2026-05-04 | Open WebUI files a formal dispute with the CVE Program and notifies ZDI directly. Neither ZDI nor the CVE Program responds. |
2828
| 2026-06-15 | Open WebUI files another dispute with the CVE Program; the Secretariat directs it to the issuing CNA (ZDI), which owns the record. The request is subsequently closed. |
2929
| 2026-07-02 | With the CNA non-responsive, Open WebUI escalates the dispute a third time, to the CVE Program's Root / Top-Level Root under the CVE Record Dispute Policy (v2.0.0). |
30+
| 2026-07-06 | Under the CVE Program's record-dispute procedure, the Program forwards the dispute to the issuing CNA (ZDI) for its determination. |
3031

31-
As of 2026-07-02 the dispute remains open and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
32+
As of 2026-07-06, the dispute is before the issuing CNA (ZDI) for its determination and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
3233

3334
---
3435

docs/security/vendor-dispositions/cve-2026-0767.mdx

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,14 @@ This CVE is formally disputed. The dispute is open and being pursued through the
2222

2323
| Date | Event |
2424
| :--- | :--- |
25-
| 2025-10 | ZDI submits the underlying report through Open WebUI's security channel; Open WebUI closes it as out of scope per its published security policy. |
26-
| 2026-01-23 | ZDI publishes the CVE (ZDI-26-033) despite the vendor's out-of-scope disposition. |
27-
| 2026-05-04 | Open WebUI files a formal dispute with the CVE Program and notifies ZDI directly. Neither responds. |
25+
| 2025-10 | ZDI submits the underlying report through Open WebUI's security channel. Open WebUI closes it as out of scope and not a vulnerability under its published security policy, but does so without giving the reporter a written explanation at the time, which was a mistake on Open WebUI's part. |
26+
| 2026-01-23 | ZDI publishes the CVE (ZDI-26-033). |
27+
| 2026-05-04 | Open WebUI files a formal dispute with the CVE Program and notifies ZDI directly. Neither ZDI nor the CVE Program responds. |
2828
| 2026-06-15 | Open WebUI files another dispute with the CVE Program; the Secretariat directs it to the issuing CNA (ZDI), which owns the record. The request is subsequently closed. |
2929
| 2026-07-02 | With the CNA non-responsive, Open WebUI escalates the dispute a third time, to the CVE Program's Root / Top-Level Root under the CVE Record Dispute Policy (v2.0.0). |
30+
| 2026-07-06 | Under the CVE Program's record-dispute procedure, the Program forwards the dispute to the issuing CNA (ZDI) for its determination. |
3031

31-
As of 2026-07-02 the dispute remains open and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
32+
As of 2026-07-06, the dispute is before the issuing CNA (ZDI) for its determination and the CVE record has not been amended. This disposition stands as Open WebUI's official assessment.
3233

3334
---
3435

0 commit comments

Comments
 (0)