Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered but AC:H because it needs the allow_origins=* misconfig and an admin session; PR:N as the attacker is unauthenticated, UI:R for the admin visit, S:C and C/I/A:H for root code execution and container compromise.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them.
AnalysisAI
Remote code execution in Open WebUI (self-hosted LLM interface) before the fixed 0.3.33 release allows attackers to hijack an authenticated admin session through a CORS misconfiguration. When an instance is deployed with allow_origins=* and an authenticated admin visits an attacker-controlled website, the malicious page can issue authenticated cross-origin requests to the /api/v1/functions endpoint and register attacker-supplied Python code, achieving code execution - and because the container runs as root by default, full container compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of: (1) the target Open WebUI instance running a permissive CORS policy with allow_origins=* (the insecure, non-default-secure configuration named in the description); (2) a user with admin privileges - needed because the /api/v1/functions code-registration endpoint is admin-restricted - being actively authenticated with a valid session; and (3) that admin being social-engineered into visiting an attacker-controlled website while logged in (UI:P / user interaction). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious web page containing JavaScript that sends a credentialed cross-origin request to a target Open WebUI server's /api/v1/functions endpoint, registering a function with attacker-controlled Python. They lure a logged-in Open WebUI admin (via phishing link) to the page; because the server permits any origin with credentials, the victim's browser silently submits the request under the admin session, and the malicious code executes on the instance - as root inside the default Docker container. … |
| Remediation | Vendor-released patch: upgrade to Open WebUI 0.3.33 or later, which corrects the CORS and session validation handling (see the GitHub Security Advisory GHSA-6xcp-7mpr-m7wm). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Open WebUI deployments and audit their CORS configuration; immediately restrict any instance configured with allow_origins=* (the default setting) to specific trusted domains or disable CORS if not required, and review API logs for suspicious cross-origin requests to /api/v1/functions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same weakness CWE-613 – Insufficient Session Expiration
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44629
GHSA-m5hr-9f92-qvh9