Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Low-priv attacker stores payload (PR:L) but a privileged victim must click Run (UI:R); browser-context code reaches server admin APIs, so scope changes (S:C) with full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionNVD
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0.
Articles & Coverage 1
AnalysisAI
Privilege escalation and server-side code execution in Open WebUI before 0.10.0 lets a low-privileged authenticated user plant a malicious chat payload that, when a victim (typically an admin) clicks Run, executes client-side Python via Pyodide in a same-origin web worker and issues authenticated same-origin requests to admin-only endpoints. Because the requests inherit the victim's session, the attacker can reach administrative APIs and trigger server-side code execution through configured tools. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) an authenticated attacker able to create/store a chat payload (PR:L); (2) the Open WebUI in-browser Pyodide Python execution feature being enabled so pyodide.http.pyfetch or js fetch/XMLHttpRequest are reachable; (3) a victim with higher privileges - realistically an admin - actively clicking Run on the malicious chat content (UI:R); and (4) server-side tools being configured for the code-execution-through-tools impact. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged Open WebUI account crafts a chat containing Python that calls pyodide.http.pyfetch (or js fetch) against admin-only API endpoints and shares or otherwise surfaces it to an administrator. When the admin opens the chat and clicks Run, the code executes in the same-origin web worker under the admin's session, silently invoking administrative actions and triggering server-side code execution via configured tools. … |
| Remediation | Upgrade to Open WebUI 0.10.0 or later, which contains the fix (Vendor-released patch: 0.10.0); see the advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-4r2p-27mh-5m22. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Open WebUI deployments and versions; immediately restrict chat access to trusted administrators for any pre-0.10.0 instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42616