Path-based Blocklist Bypass in Open WebUI by Open WebUI
CVE-2026-59223

4.3MEDIUM

Key Information:

Vendor

Open-webui

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59223?

Open WebUI is a self-hosted AI platform that, prior to version 0.10.0, had a vulnerability in its WEB_FETCH_FILTER_LIST feature. This issue allowed attackers to bypass path-based blocklists by matching configured host entries against URL strings without adhering to label boundaries. Consequently, this made it feasible for malicious URLs with sibling-domain patterns to exploit the intended hostname policy, posing a significant security risk. The vulnerability is addressed in version 0.10.0, where the path-based blocking mechanism has been reinforced to prevent such bypass attempts.

Affected Version(s)

open-webui < 0.10.0

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.