Skip to main content

Open WebUI EUVDEUVD-2026-42616

| CVE-2026-59214 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 GitHub_M
9.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.0 CRITICAL

Low-priv attacker stores payload (PR:L) but a privileged victim must click Run (UI:R); browser-context code reaches server admin APIs, so scope changes (S:C) with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jul 10, 2026 - 19:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 19:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 19:37 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 19:37 NVD
HIGH CRITICAL
CVSS changed
Jul 10, 2026 - 19:37 NVD
7.3 (HIGH) 9.0 (CRITICAL)
Re-analysis Queued
Jul 10, 2026 - 19:37 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 19:37 NVD
HIGH CRITICAL
CVSS changed
Jul 10, 2026 - 19:37 NVD
7.3 (HIGH) 9.0 (CRITICAL)
Patch available
Jul 09, 2026 - 18:01 EUVD
Analysis Generated
Jul 09, 2026 - 17:01 vuln.today

DescriptionNVD

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0.

AnalysisAI

Privilege escalation and server-side code execution in Open WebUI before 0.10.0 lets a low-privileged authenticated user plant a malicious chat payload that, when a victim (typically an admin) clicks Run, executes client-side Python via Pyodide in a same-origin web worker and issues authenticated same-origin requests to admin-only endpoints. Because the requests inherit the victim's session, the attacker can reach administrative APIs and trigger server-side code execution through configured tools. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Open WebUI account
Delivery
Store malicious Python chat payload
Exploit
Lure admin to click Run
Execution
Pyodide executes in same-origin worker
Persist
Authenticated fetch to admin-only endpoints
Impact
Invoke configured tools for server-side code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) an authenticated attacker able to create/store a chat payload (PR:L); (2) the Open WebUI in-browser Pyodide Python execution feature being enabled so pyodide.http.pyfetch or js fetch/XMLHttpRequest are reachable; (3) a victim with higher privileges - realistically an admin - actively clicking Run on the malicious chat content (UI:R); and (4) server-side tools being configured for the code-execution-through-tools impact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged Open WebUI account crafts a chat containing Python that calls pyodide.http.pyfetch (or js fetch) against admin-only API endpoints and shares or otherwise surfaces it to an administrator. When the admin opens the chat and clicks Run, the code executes in the same-origin web worker under the admin's session, silently invoking administrative actions and triggering server-side code execution via configured tools. …
Remediation Upgrade to Open WebUI 0.10.0 or later, which contains the fix (Vendor-released patch: 0.10.0); see the advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-4r2p-27mh-5m22. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Open WebUI deployments and versions; immediately restrict chat access to trusted administrators for any pre-0.10.0 instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

EUVD-2026-42616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy