Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Network-reachable identity spoof needing a low-privileged account (PR:L) and non-trivial injection crafting (AC:H); crossing into another user's identity is a scope change (S:C) with full C/I/A impact on the victim's terminal session.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0.
AnalysisAI
Identity spoofing in Open WebUI before 0.10.0 lets an authenticated low-privileged user impersonate another account by injecting query parameters into the terminal WebSocket URL. Because backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter - while the HTTP proxy path trusted an integrity-unbound X-User-Id header - an attacker can make the terminal backend resolve a different user identity, gaining that victim's terminal session context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Open WebUI account (CVSS PR:L) and an instance that exposes the terminal feature (the ws_terminal WebSocket endpoint in terminals.py). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, base 8.0) describes a high-impact but non-trivial attack: network-reachable, but requiring an existing low-privileged account (PR:L), high attack complexity (AC:H) to craft the injection and win the identity resolution, and user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a valid low-privileged Open WebUI account opens a terminal session and supplies a crafted session_id containing extra 'user_id=' query material (or forges the X-User-Id header on the HTTP proxy path). Because the backend concatenates the unencoded value into the upstream WebSocket URL and trusts the resulting user_id, the terminal backend resolves the attacker to a targeted victim's identity, granting that user's terminal session context. … |
| Remediation | Vendor-released patch: upgrade to Open WebUI 0.10.0 or later, which URL-encodes session identifiers and stops trusting the client-supplied X-User-Id claim (see advisory https://github.com/open-webui/open-webui/security/advisories/GHSA-j657-m4c4-24jq and release https://github.com/open-webui/open-webui/releases/tag/v0.10.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Open WebUI instances and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42636