Skip to main content

Open WebUI EUVDEUVD-2026-38536

| CVE-2026-54007 HIGH
Origin Validation Error (CWE-346)
2026-06-17 https://github.com/open-webui/open-webui GHSA-3vv5-8xxp-4f55
7.1
CVSS 4.0 · Vendor: https://github.com/open-webui/open-webui
Share

Severity by source

Vendor (https://github.com/open-webui/open-webui) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Remote attacker page (AV:N) needs no auth (PR:N) but requires victim click (UI:R); cross-origin abuse changes security scope (S:C); integrity-only impact via forced actions (I:H, C/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/open-webui/open-webui).

CVSS VectorVendor: https://github.com/open-webui/open-webui

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 18:36 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 18:22 NVD
7.1 (HIGH)
Source Code Evidence Fetched
Jun 18, 2026 - 01:30 vuln.today
Analysis Generated
Jun 18, 2026 - 01:30 vuln.today

DescriptionCVE.org

Summary

The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.

Details

The chat page's window message listener in src/lib/components/chat/Chat.svelte processes message types including input:prompt and action:submit without adequately enforcing same-origin restrictions. Based on code around lines ~597-616, input text is set directly from event.data.text; action:submit proceeds to submitPrompt() on the current prompt. The logic does not apply a strict origin allowlist and permits non-same-origin control of the chat input and submission flow, leading to cross-origin command execution in the victim's authenticated UI context. As a result, backend API calls (e.g., POST /api/v1/chats/new, POST /api/chat/completions) are sent under victim credentials.

Normally, via the input:prompt:submit postMessage type, this results in a "Confirm Prompt from Embed" confirmation dialog:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L604-L622

However, combining the two other types, it is possible to achieve the same effect without this confirmation:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L584-L602

PoC

  1. Set up a local Open WebUI instance and log in to it, making sure a model is configured
  2. Host the following HTML anywhere and visit it (optionally change http://127.0.0.1:14000 to your instance Base URL):
html
<h1>Click anywhere</h1>
<script>
  function sleep(ms) {
    return new Promise(r => setTimeout(r, ms));
  }

  onclick = async () => {
    w = window.open('http://127.0.0.1:14000');
    await sleep(2000);
    w.postMessage({ type: 'input:prompt', text: "INJECTED PROMPT" }, '*');
    await sleep(500);
    w.postMessage({ type: 'action:submit' }, '*');
  }
</script>
  1. Click anywhere on the page, then notice without further interaction the "INJECTED PROMPT" is executed on the Open WebUI instance

<img width="874" height="264" alt="image" src="https://github.com/user-attachments/assets/244d9015-0dbf-47e0-a30e-1c2fbbde5e58" />

Impact

Conditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).

This issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.

Original Agent Report

<img width="400" alt="app aikido dev_ai-pentests_projects_116389_assessments_019d67d4-81c8-7dd2-bb9e-0a4a774b2c78_issues_sidebarIssue=20439940 (4)" src="https://github.com/user-attachments/assets/7b6521ed-d08b-446d-a918-103523d08a1e" />

AnalysisAI

Cross-origin postMessage abuse in Open WebUI versions <= 0.9.5 allows an attacker-controlled web page to inject and auto-submit prompts into an authenticated victim's chat session without the normal 'Confirm Prompt from Embed' dialog. By chaining the input:prompt and action:submit window message types, a remote site triggers backend calls to /api/v1/chats/new and /api/chat/completions under the victim's credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure authenticated victim to attacker page
Delivery
Victim clicks, triggering window.open to Open WebUI
Exploit
postMessage input:prompt with attacker text
Execution
postMessage action:submit bypassing confirm dialog
Persist
submitPrompt() runs in victim session
Impact
Backend executes chat/tool calls as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is currently authenticated to Open WebUI (valid session cookie present) and visits an attacker-controlled web page in the same browser, then performs at least one click on that page so `window.open` can spawn a handle to the Open WebUI origin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N) scores 7.1 and aligns with the facts: network-reachable, no privileges on the attacker side, but Passive user interaction (the victim must click an attacker page while authenticated) and integrity-only impact on the victim's chat/tool execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a page containing the published PoC and lures an authenticated Open WebUI user (e.g., via a phishing link or a watering-hole site) to click anywhere on it. The page opens the victim's Open WebUI tab via `window.open`, posts an `input:prompt` message setting attacker-controlled prompt text, and follows with `action:submit`, causing the victim's session to silently issue `POST /api/v1/chats/new` and `POST /api/chat/completions` with the malicious prompt and execute any enabled tools (code interpreter, terminal, retrieval) as the victim. …
Remediation Vendor-released patch: Open WebUI 0.9.6 - upgrade via `pip install --upgrade open-webui` (or the equivalent container image bump) per the advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Open WebUI deployments and current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy