Cross-Origin Request Exploit in Open WebUI by Open WebUI
CVE-2026-59214

7.3HIGH

Key Information:

Vendor

Open-webui

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59214?

An issue in Open WebUI, a self-hosted AI platform, allows for the execution of unauthorized server-side code via authenticated requests. This occurs when stored chat payloads utilize pyodide.http.pyfetch or JavaScript fetch and XMLHttpRequest APIs in a same-origin web worker. When a user triggers execution by clicking 'Run', this can lead to access of admin-only endpoints and potential exploitation of the server. The issue has been resolved in version 0.10.0.

Affected Version(s)

open-webui < 0.10.0

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.