Cross-Origin Request Exploit in Open WebUI by Open WebUI
CVE-2026-59214
7.3HIGH
What is CVE-2026-59214?
An issue in Open WebUI, a self-hosted AI platform, allows for the execution of unauthorized server-side code via authenticated requests. This occurs when stored chat payloads utilize pyodide.http.pyfetch or JavaScript fetch and XMLHttpRequest APIs in a same-origin web worker. When a user triggers execution by clicking 'Run', this can lead to access of admin-only endpoints and potential exploitation of the server. The issue has been resolved in version 0.10.0.
Affected Version(s)
open-webui < 0.10.0
