CVE-2026-59214 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability exists within Open WebUI, a self-hosted AI platform designed for local deployment and use. The flaw stems from the platform's execution environment where client-side Python code runs through Pyodide within same-origin web workers. When users create chat payloads containing specific HTTP request methods such as pyodide.http.pyfetch or JavaScript fetch and XMLHttpRequest APIs, these requests maintain authenticated sessions due to the same-origin policy enforcement. This design allows malicious actors to craft payloads that can access admin-only endpoints when victims interact with them by clicking Run.

The technical implementation of this vulnerability leverages the browser's same-origin security model in an unintended way. When a victim clicks Run on a malicious payload, the Pyodide runtime executes Python code that makes HTTP requests using standard web APIs. These requests inherit the victim's authentication context and session cookies because they originate from the same domain as the target application. The vulnerability becomes particularly dangerous when configured tools allow server-side code execution capabilities, enabling attackers to escalate privileges and gain unauthorized access to administrative functions.

The operational impact of this vulnerability is significant as it transforms a client-side execution environment into a potential attack vector for privilege escalation. An attacker can craft malicious chat payloads that appear legitimate to users but contain hidden code that exploits the authenticated session to make requests to admin endpoints. This allows for complete compromise of the application's administrative functions, potentially enabling data exfiltration, system manipulation, or further lateral movement within the network. The vulnerability is particularly concerning because it requires no special privileges from the attacker beyond the ability to convince a victim to interact with malicious content.

This issue represents a classic case of insecure deserialization and privilege escalation through authenticated session hijacking, aligning with CWE-284 for improper access control and CWE-79 for cross-site scripting. The vulnerability demonstrates how client-side sandboxing can be bypassed when proper origin validation is not enforced during HTTP request execution. From an ATT&CK perspective, this maps to techniques involving privilege escalation through exploitation of authenticated sessions and command execution within constrained environments. The fix implemented in version 0.10.0 likely addresses the core issue by enforcing stricter origin validation or by modifying how HTTP requests are handled within the Pyodide execution context, preventing authenticated requests from being made through user-provided payloads.

The remediation approach required for this vulnerability involves implementing proper request origin validation and restricting the capabilities of code execution within same-origin contexts. Organizations should ensure that all user-generated content is properly sanitized and that any HTTP request capabilities are limited to prevent access to administrative endpoints. The updated version 0.10.0 demonstrates how addressing such vulnerabilities requires careful consideration of both client-side execution environments and their potential for bypassing security controls through legitimate browser features like same-origin policies.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!