Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent. This vulnerability is fixed in 0.9.6.
Published: 2026-06-23
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI is a self‑hosted artificial intelligence platform that operates entirely offline. Prior to version 0.9.6, the chat message listener accepted non‑same‑origin input:prompt and action:submit messages, allowing an external page to set prompt text and trigger submitPrompt() in an authenticated victim session. This flaw, classified as CWE‑346, lets a cross‑origin attacker automatically post these messages, causing the victim’s browser to send unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker‑controlled prompts, thereby executing model or tool actions under the victim’s privileges without consent. The vulnerability was fixed in version 0.9.6.

Affected Systems

Open WebUI self‑hosted AI platform, any deployment running a version earlier than 0.9.6 is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but there is no EPSS data and no KEV listing, so widespread exploitation evidence is lacking. Nevertheless, a malicious web page can exploit this flaw by posting an action:submit event to a victim’s open session, which will trigger the unwanted API calls without user interaction. Because no server‑side privilege escalation is required, the attacker can compromise confidentiality and integrity of the victim’s data and perform unauthorized model execution, posing a significant risk.

Generated by OpenCVE AI on June 24, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.6 or later, where the chat listener now rejects cross‑origin action:submit messages.
  • If an upgrade is not possible at once, isolate the web UI behind a corporate firewall or VPN and restrict external POST requests to /api/v1/chats/new and /api/chat/completions to trusted origins.
  • Monitor user sessions and audit API calls for unexpected model requests; consider disabling the chat message listener or removing the action:submit endpoint from the public interface as an interim measure.

Generated by OpenCVE AI on June 24, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vv5-8xxp-4f55 Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
History

Tue, 23 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent. This vulnerability is fixed in 0.9.6.
Title Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:51:27.546Z

Reserved: 2026-06-11T16:34:11.635Z

Link: CVE-2026-54007

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:45:02Z

Weaknesses