Skip to main content

Open WebUI CVE-2026-59224

| EUVDEUVD-2026-42636 HIGH
Improper Authentication (CWE-287)
2026-07-09 security-advisories@github.com
8.0
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Network-reachable identity spoof needing a low-privileged account (PR:L) and non-trivial injection crafting (AC:H); crossing into another user's identity is a scope change (S:C) with full C/I/A impact on the victim's terminal session.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 18:01 EUVD
Analysis Generated
Jul 09, 2026 - 17:35 vuln.today

DescriptionCVE.org

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0.

AnalysisAI

Identity spoofing in Open WebUI before 0.10.0 lets an authenticated low-privileged user impersonate another account by injecting query parameters into the terminal WebSocket URL. Because backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter - while the HTTP proxy path trusted an integrity-unbound X-User-Id header - an attacker can make the terminal backend resolve a different user identity, gaining that victim's terminal session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged user
Delivery
Craft malicious session_id in terminal request
Exploit
Inject user_id query param or forge X-User-Id
Execution
Backend resolves victim identity
Impact
Gain victim terminal session context

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Open WebUI account (CVSS PR:L) and an instance that exposes the terminal feature (the ws_terminal WebSocket endpoint in terminals.py). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, base 8.0) describes a high-impact but non-trivial attack: network-reachable, but requiring an existing low-privileged account (PR:L), high attack complexity (AC:H) to craft the injection and win the identity resolution, and user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a valid low-privileged Open WebUI account opens a terminal session and supplies a crafted session_id containing extra 'user_id=' query material (or forges the X-User-Id header on the HTTP proxy path). Because the backend concatenates the unencoded value into the upstream WebSocket URL and trusts the resulting user_id, the terminal backend resolves the attacker to a targeted victim's identity, granting that user's terminal session context. …
Remediation Vendor-released patch: upgrade to Open WebUI 0.10.0 or later, which URL-encodes session identifiers and stops trusting the client-supplied X-User-Id claim (see advisory https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq and release https://github.com/open-webui/open-webui/releases/tag/v0.10.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Open WebUI instances and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-7053 CRITICAL POC
9.0 Mar 20

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session

CVE-2024-8017 CRITICAL POC
9.0 Mar 20

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the

CVE-2024-7044 HIGH POC
8.9 Mar 20

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui

CVE-2024-7806 HIGH POC
8.8 Mar 20

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit

CVE-2024-6707 HIGH POC
8.8 Aug 07

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver

CVE-2025-65959 HIGH POC
8.7 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St

CVE-2025-65958 HIGH POC
8.5 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se

CVE-2024-7990 HIGH POC
8.4 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV

CVE-2024-8053 HIGH POC
8.2 Mar 20

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u

CVE-2024-7034 HIGH POC
7.2 Mar 20

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin

CVE-2024-7959 HIGH POC
7.7 Mar 20

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)

CVE-2024-12537 HIGH POC
7.5 Mar 20

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker

Share

CVE-2026-59224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy