CVE-2026-59224 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to make the terminal backend resolve another user identity; the HTTP proxy path also forwarded X-User-Id as an integrity-unbound identity claim. This issue is fixed in version 0.10.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability described affects Open WebUI, a self-hosted AI platform that provides a user-friendly interface for interacting with artificial intelligence models. This security flaw existed in versions prior to 0.10.0 and specifically targeted the terminal functionality within the application's backend architecture. The issue stems from improper handling of session identifiers and user authentication parameters during websocket terminal connections, creating a path for unauthorized access and identity manipulation.

The technical implementation flaw occurs in the file backend/open_webui/routers/terminals.py where the ws_terminal upstream URL construction process fails to properly encode the session_id parameter before incorporating it into the URL. This unencoded session_id is then appended as a query parameter alongside the user_id, creating an environment susceptible to query injection attacks. The vulnerability allows malicious actors to manipulate the terminal backend's behavior by injecting additional parameters or modifying existing ones within the URL structure.

The operational impact of this vulnerability is significant as it enables privilege escalation and unauthorized access to user resources. An attacker who can manipulate the session_id parameter could potentially impersonate other users within the terminal environment, gaining access to their sessions, commands, and potentially sensitive data processing capabilities. The HTTP proxy path forwarding X-User-Id as an integrity-unbound identity claim compounds this issue by creating a trust relationship that lacks proper validation mechanisms.

This vulnerability aligns with CWE-74 and CWE-79 principles, specifically addressing injection flaws and improper input handling in web applications. From an ATT&CK framework perspective, this represents a privilege escalation technique under T1078 (Valid Accounts) and potentially T1566 (Phishing) if the attack vector involves social engineering to obtain initial access. The vulnerability also demonstrates weaknesses in authentication and session management practices that violate security best practices for maintaining user isolation and preventing cross-user resource access.

The fix implemented in version 0.10.0 addresses these issues by properly encoding session identifiers before URL construction and implementing more robust integrity checks for identity claims. This remediation ensures that the X-User-Id header is validated against established session contexts rather than being blindly trusted, while also preventing query parameter injection through proper URL encoding mechanisms. The update represents a critical security enhancement that restores proper user authentication boundaries within the terminal functionality.

Organizations using Open WebUI should prioritize immediate upgrade to version 0.10.0 or later to mitigate this vulnerability. Additional security measures including monitoring for unusual terminal access patterns, implementing network-level restrictions on terminal endpoints, and conducting regular security audits of session handling mechanisms can provide defense-in-depth protection against potential exploitation attempts. The vulnerability serves as a reminder of the importance of proper input validation and parameter encoding in web applications to prevent injection attacks that could compromise user authentication and authorization systems.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!