CVE-2026-59221 in Open WebUI
Summary
by MITRE • 07/09/2026
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability resides within the Open WebUI platform's proxy path sanitization mechanism, specifically in the _sanitize_proxy_path function located in backend/open_webui/routers/terminals.py. This flaw represents a classic directory traversal attack vector that exploits insufficient input validation and normalization processes. The vulnerability affects versions prior to 0.10.0 and demonstrates a critical weakness in how the system handles percent-encoded path sequences, particularly those involving parent directory references.
The technical implementation of this vulnerability stems from the function's inadequate handling of multiple levels of percent-encoding. When processing proxy paths, the _sanitize_proxy_path function only decoded percent-encoded sequences eight times during normalization, which creates a window for exploitation through carefully crafted nine-level encoded traversal sequences. This limitation allows an attacker to craft malicious input where the ninth level of percent-encoding ../ sequence remains undecoded and passes through the validation checks. The upstream terminal server then processes this malformed path, potentially enabling unauthorized access to system resources beyond the intended scope.
This vulnerability directly maps to CWE-22: Improper Limitation of a Pathname to a Restricted Directory, which addresses the fundamental issue of inadequate input validation for file paths and directory traversal attacks. The operational impact extends beyond simple path traversal, as it could enable attackers to access sensitive system files, execute arbitrary commands through terminal interfaces, or potentially escalate privileges within the self-hosted environment. The nature of this vulnerability is particularly concerning because Open WebUI operates as a self-hosted platform where users typically have elevated privileges and direct access to underlying system resources.
The attack surface for this vulnerability includes any component that relies on proxy path handling for terminal operations, making it a critical concern for organizations using this platform in production environments. The fix implemented in version 0.10.0 likely involves increasing the number of decoding iterations or implementing more robust path normalization logic to prevent such bypasses. From an ATT&CK perspective, this vulnerability aligns with T1566: Phishing and T1078: Valid Accounts, as it could enable unauthorized access through path traversal techniques that bypass normal authentication boundaries.
Organizations utilizing Open WebUI should immediately upgrade to version 0.10.0 or later to remediate this vulnerability. Additional mitigations include implementing network-level restrictions on terminal access, monitoring for unusual proxy path patterns, and conducting thorough security assessments of all self-hosted AI platforms. The vulnerability also highlights the importance of proper input validation and normalization in web applications, particularly those handling system-level operations through terminal interfaces where the consequences of path traversal attacks can be severe.