Skip to main content

Open WebUI CVE-2026-56400

| EUVDEUVD-2026-44629 CRITICAL
Insufficient Session Expiration (CWE-613)
2026-07-15 VulnCheck GHSA-m5hr-9f92-qvh9
9.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Network-delivered but AC:H because it needs the allow_origins=* misconfig and an admin session; PR:N as the attacker is unauthenticated, UI:R for the admin visit, S:C and C/I/A:H for root code execution and container compromise.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 13:03 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 12:28 vuln.today
Analysis Generated
Jul 15, 2026 - 12:28 vuln.today
CVE Published
Jul 15, 2026 - 11:25 cve.org
CRITICAL 9.0

DescriptionCVE.org

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them.

AnalysisAI

Remote code execution in Open WebUI (self-hosted LLM interface) before the fixed 0.3.33 release allows attackers to hijack an authenticated admin session through a CORS misconfiguration. When an instance is deployed with allow_origins=* and an authenticated admin visits an attacker-controlled website, the malicious page can issue authenticated cross-origin requests to the /api/v1/functions endpoint and register attacker-supplied Python code, achieving code execution - and because the container runs as root by default, full container compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious website with CORS payload
Delivery
Lure authenticated admin to visit
Exploit
Browser sends credentialed request to /api/v1/functions
Execution
Register attacker Python function
Persist
Execute arbitrary code as root in container
Impact
Full instance/container compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires all of: (1) the target Open WebUI instance running a permissive CORS policy with allow_origins=* (the insecure, non-default-secure configuration named in the description); (2) a user with admin privileges - needed because the /api/v1/functions code-registration endpoint is admin-restricted - being actively authenticated with a valid session; and (3) that admin being social-engineered into visiting an attacker-controlled website while logged in (UI:P / user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page containing JavaScript that sends a credentialed cross-origin request to a target Open WebUI server's /api/v1/functions endpoint, registering a function with attacker-controlled Python. They lure a logged-in Open WebUI admin (via phishing link) to the page; because the server permits any origin with credentials, the victim's browser silently submits the request under the admin session, and the malicious code executes on the instance - as root inside the default Docker container. …
Remediation Vendor-released patch: upgrade to Open WebUI 0.3.33 or later, which corrects the CORS and session validation handling (see the GitHub Security Advisory GHSA-6xcp-7mpr-m7wm). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Open WebUI deployments and audit their CORS configuration; immediately restrict any instance configured with allow_origins=* (the default setting) to specific trusted domains or disable CORS if not required, and review API logs for suspicious cross-origin requests to /api/v1/functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-7053 CRITICAL POC
9.0 Mar 20

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session

CVE-2024-8017 CRITICAL POC
9.0 Mar 20

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the

CVE-2024-7044 HIGH POC
8.9 Mar 20

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui

CVE-2024-7806 HIGH POC
8.8 Mar 20

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit

CVE-2024-6707 HIGH POC
8.8 Aug 07

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver

CVE-2025-65959 HIGH POC
8.7 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St

CVE-2025-65958 HIGH POC
8.5 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se

CVE-2024-7990 HIGH POC
8.4 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV

CVE-2024-8053 HIGH POC
8.2 Mar 20

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u

CVE-2024-7034 HIGH POC
7.2 Mar 20

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin

CVE-2024-7959 HIGH POC
7.7 Mar 20

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)

CVE-2024-12537 HIGH POC
7.5 Mar 20

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker

Share

CVE-2026-56400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy