Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote attacker page (AV:N) needs no auth (PR:N) but requires victim click (UI:R); cross-origin abuse changes security scope (S:C); integrity-only impact via forced actions (I:H, C/A:N).
Primary rating from Vendor (https://github.com/open-webui/open-webui).
CVSS VectorVendor: https://github.com/open-webui/open-webui
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Summary
The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.
Details
The chat page's window message listener in src/lib/components/chat/Chat.svelte processes message types including input:prompt and action:submit without adequately enforcing same-origin restrictions. Based on code around lines ~597-616, input text is set directly from event.data.text; action:submit proceeds to submitPrompt() on the current prompt. The logic does not apply a strict origin allowlist and permits non-same-origin control of the chat input and submission flow, leading to cross-origin command execution in the victim's authenticated UI context. As a result, backend API calls (e.g., POST /api/v1/chats/new, POST /api/chat/completions) are sent under victim credentials.
Normally, via the input:prompt:submit postMessage type, this results in a "Confirm Prompt from Embed" confirmation dialog:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L604-L622
However, combining the two other types, it is possible to achieve the same effect without this confirmation:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L584-L602
PoC
- Set up a local Open WebUI instance and log in to it, making sure a model is configured
- Host the following HTML anywhere and visit it (optionally change http://127.0.0.1:14000 to your instance Base URL):
<h1>Click anywhere</h1>
<script>
function sleep(ms) {
return new Promise(r => setTimeout(r, ms));
}
onclick = async () => {
w = window.open('http://127.0.0.1:14000');
await sleep(2000);
w.postMessage({ type: 'input:prompt', text: "INJECTED PROMPT" }, '*');
await sleep(500);
w.postMessage({ type: 'action:submit' }, '*');
}
</script>- Click anywhere on the page, then notice without further interaction the "INJECTED PROMPT" is executed on the Open WebUI instance
<img width="874" height="264" alt="image" src="https://github.com/user-attachments/assets/244d9015-0dbf-47e0-a30e-1c2fbbde5e58" />
Impact
Conditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).
This issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.
Original Agent Report
<img width="400" alt="app aikido dev_ai-pentests_projects_116389_assessments_019d67d4-81c8-7dd2-bb9e-0a4a774b2c78_issues_sidebarIssue=20439940 (4)" src="https://github.com/user-attachments/assets/7b6521ed-d08b-446d-a918-103523d08a1e" />
AnalysisAI
Cross-origin postMessage abuse in Open WebUI versions <= 0.9.5 allows an attacker-controlled web page to inject and auto-submit prompts into an authenticated victim's chat session without the normal 'Confirm Prompt from Embed' dialog. By chaining the input:prompt and action:submit window message types, a remote site triggers backend calls to /api/v1/chats/new and /api/chat/completions under the victim's credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim is currently authenticated to Open WebUI (valid session cookie present) and visits an attacker-controlled web page in the same browser, then performs at least one click on that page so `window.open` can spawn a handle to the Open WebUI origin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N) scores 7.1 and aligns with the facts: network-reachable, no privileges on the attacker side, but Passive user interaction (the victim must click an attacker page while authenticated) and integrity-only impact on the victim's chat/tool execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a page containing the published PoC and lures an authenticated Open WebUI user (e.g., via a phishing link or a watering-hole site) to click anywhere on it. The page opens the victim's Open WebUI tab via `window.open`, posts an `input:prompt` message setting attacker-controlled prompt text, and follows with `action:submit`, causing the victim's session to silently issue `POST /api/v1/chats/new` and `POST /api/chat/completions` with the malicious prompt and execute any enabled tools (code interpreter, terminal, retrieval) as the victim. … |
| Remediation | Vendor-released patch: Open WebUI 0.9.6 - upgrade via `pip install --upgrade open-webui` (or the equivalent container image bump) per the advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Open WebUI deployments and current versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38536
GHSA-3vv5-8xxp-4f55