CVE-2026-54007 | Open WebUI is a self-hosted artificial intelligence platform… | CVSS 7.1 HIGH

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent. This vulnerability is fixed in 0.9.6.

Metadata

CVE ID: CVE-2026-54007
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-11 16:34 UTC
Published: 2026-06-23 16:51 UTC
Last updated: 2026-06-23 16:51 UTC
Primary CWE: CWE-346
CWE-346: Origin Validation Error
Vendor / Product: open-webui / open-webui
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
open-webui	open-webui	—	< 0.9.6

Weakness (CWE)

CWE	Source	Description
CWE-346	cna	CWE-346: Origin Validation Error

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55 https://github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55