Skip to main content

Open WebUI CVE-2026-59221

| EUVDEUVD-2026-42650 HIGH
Path Traversal (CWE-22)
2026-07-09 security-advisories@github.com
7.7
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable proxy needs a valid account (PR:L) and no interaction; the encoding bypass is low-complexity (AC:L); traversal crosses into the upstream terminal server (S:C), disclosing files (C:H) with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 19:01 EUVD
Analysis Generated
Jul 09, 2026 - 18:34 vuln.today

DescriptionCVE.org

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.

AnalysisAI

Path traversal in Open WebUI's terminal proxy (versions 0.9.6 through 0.9.x, fixed in 0.10.0) lets an authenticated attacker reach files and resources outside the intended proxy scope. The _sanitize_proxy_path routine in backend/open_webui/routers/terminals.py decoded incoming proxy paths exactly eight times, so a nine-times percent-encoded ../ sequence survived normalization and was decoded a final time by the upstream terminal server, defeating the traversal check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Open WebUI (low-priv account)
Delivery
Craft nine-times percent-encoded ../ path
Exploit
Send to terminal proxy endpoint
Execution
Bypass eight-pass sanitizer check
Persist
Upstream server decodes and resolves traversal
Impact
Read files outside intended directory

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Open WebUI account (CVSS PR:L) and a deployment where the terminal proxy feature in backend/open_webui/routers/terminals.py is reachable - the attacker submits a ../ traversal value percent-encoded nine times (or more) so it survives the sanitizer's fixed eight decode passes and is finally decoded by the upstream terminal server. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N describes a network-reachable, low-complexity attack that requires low privileges (PR:L, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Open WebUI user, or an attacker with stolen low-privilege credentials, crafts a request to the terminal proxy containing a ../ sequence percent-encoded nine times. Open WebUI's _sanitize_proxy_path decodes it only eight times, so the still-encoded payload passes the traversal check and is forwarded to the upstream terminal server, which decodes it fully and resolves the path outside the intended directory, disclosing files or resources it should not. …
Remediation Vendor-released patch: 0.10.0 - upgrade Open WebUI to v0.10.0 or later, which replaces the flawed eight-pass decode with correct normalization (fix commit https://github.com/open-webui/open-webui/commit/05098d25a58d03738e01c4e85e8852c3b4ad849c, PR https://github.com/open-webui/open-webui/pull/26050, advisory https://github.com/open-webui/open-webui/security/advisories/GHSA-frvj-c5qp-xj4w). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Open WebUI 0.9.6-0.9.x and restrict non-essential user access to terminal proxy features. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-7053 CRITICAL POC
9.0 Mar 20

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session

CVE-2024-8017 CRITICAL POC
9.0 Mar 20

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the

CVE-2024-7044 HIGH POC
8.9 Mar 20

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui

CVE-2024-7806 HIGH POC
8.8 Mar 20

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit

CVE-2024-6707 HIGH POC
8.8 Aug 07

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver

CVE-2025-65959 HIGH POC
8.7 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St

CVE-2025-65958 HIGH POC
8.5 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se

CVE-2024-7990 HIGH POC
8.4 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV

CVE-2024-8053 HIGH POC
8.2 Mar 20

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u

CVE-2024-7034 HIGH POC
7.2 Mar 20

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin

CVE-2024-7959 HIGH POC
7.7 Mar 20

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)

CVE-2024-12537 HIGH POC
7.5 Mar 20

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker

Share

CVE-2026-59221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy