CVE-2026-59223 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in Open WebUI prior to version 0.10.0 represents a critical access control flaw that undermines the platform's security posture through improper URL validation mechanisms. This weakness specifically affects the WEB_FETCH_FILTER_LIST functionality which is designed to restrict outbound network requests based on configured host entries, creating a pathway for attackers to bypass intended security policies through crafted URL patterns.

The technical implementation flaw stems from insufficient hostname matching logic that fails to properly validate domain boundaries when processing URL strings. The system's comparison algorithm treats host entries as non-label-boundary suffixes rather than strict hostname matches, allowing malicious actors to exploit path-based bypass techniques where a blocklist entry like !internal.example.com could be circumvented by placing it within URL paths or through sibling-domain exploitation patterns. This approach violates fundamental security principles of domain isolation and creates potential for unauthorized data exfiltration or internal network reconnaissance.

The operational impact of this vulnerability extends beyond simple access control bypasses, creating opportunities for attackers to perform lateral movement within networks that rely on Open WebUI's outbound request filtering. An attacker could potentially access internal services that should be restricted by placing malicious requests in URL paths where the filter fails to recognize the hostname component as a match. This weakness particularly affects organizations that depend on strict network segmentation policies and could enable unauthorized access to sensitive internal resources through the AI platform's proxy functionality.

This vulnerability aligns with CWE-284 Access Control Issues, specifically manifesting as improper access control due to inadequate validation of URL components in filtering mechanisms. The issue also maps to ATT&CK technique T1071.004 Application Layer Protocol: DNS where attackers could leverage the bypass capabilities to establish covert communication channels. The fix implemented in version 0.10.0 addresses this by enforcing proper hostname boundary checking that ensures only exact domain matches trigger filter actions, preventing path-based and sibling-domain bypass techniques.

Organizations utilizing Open WebUI should immediately implement mitigations including immediate upgrade to version 0.10.0 or higher, followed by comprehensive review of existing WEB_FETCH_FILTER_LIST configurations to ensure proper hostname specification without relying on suffix matching patterns that could be exploited. Security teams should also consider implementing additional monitoring for outbound network requests from the platform to detect any potential exploitation attempts before they can cause significant damage. The remediation process should include validation testing of all configured filters to confirm that hostname boundaries are properly enforced and that no bypass paths remain available through path-based or domain-sibling manipulation techniques.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!