CVE-2026-54007

UNKNOWN 0.0

Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent. This vulnerability is fixed in 0.9.6.

CWE	CWE-346
Vendor	open-webui
Product	open-webui
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for open-webui open-webui

Be the first to know when new unknown vulnerabilities affecting open-webui open-webui are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

open-webui / open-webui

< 0.9.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55