CVE-2026-59220 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed <$skillId|label> skill mentions with overlapping quantifiers, allowing an authenticated chat message containing <$ without a closing > to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability exists within the Open WebUI platform's regular expression parsing mechanism in the middleware component. The specific flaw is found in the SKILL_MENTION_RE and strip_re patterns defined in backend/open_webui/utils/middleware.py, where overlapping quantifiers create a path for catastrophic backtracking behavior. This occurs when processing chat messages containing skill mentions formatted as <$skillId|label> but lacking proper closing delimiters. The vulnerability represents a classic example of regular expression denial of service (REDoS) that can be exploited through malicious input manipulation.

The technical implementation of this vulnerability stems from how the regular expressions handle overlapping quantifiers in the pattern matching process. When an attacker submits a chat message containing <$ without a corresponding closing > character, the regex engine enters into a state where it must explore exponentially growing possibilities for matching the pattern. This creates quadratic backtracking behavior that consumes excessive computational resources and blocks the asyncio event loop. The issue manifests specifically during the parsing phase when the system attempts to extract skill mentions from user messages, causing the entire platform to become unresponsive.

From an operational standpoint, this vulnerability creates a significant risk for authenticated users who can trigger the denial of service condition through carefully crafted chat messages. The blocking of the asyncio event loop means that legitimate requests cannot be processed while the system is stuck in the regex backtracking phase, effectively rendering the platform unavailable to other users. This affects the core functionality of the self-hosted AI platform and could be exploited to disrupt service availability or potentially cause resource exhaustion on the hosting server.

The fix implemented in version 0.10.0 addresses this by modifying the regular expressions to eliminate overlapping quantifiers that caused the catastrophic backtracking behavior. This aligns with common security practices for preventing regex-based denial of service attacks and follows established patterns for safe regex construction. The remediation ensures that skill mention parsing operates efficiently without creating exponential computational complexity that could be exploited by malicious actors.

This vulnerability type maps directly to CWE-400, which addresses unspecified denial of service conditions in regular expressions, and relates to ATT&CK technique T1499.004 for network denial of service through resource exhaustion. The issue demonstrates the importance of proper input validation and regex design in security-critical applications, particularly those that process user-generated content. Organizations should implement similar protections when handling untrusted input through pattern matching operations to prevent similar vulnerabilities from being exploited in other systems.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!