Path-based Blocklist Bypass in Open WebUI by Open WebUI
CVE-2026-59223
4.3MEDIUM
What is CVE-2026-59223?
Open WebUI is a self-hosted AI platform that, prior to version 0.10.0, had a vulnerability in its WEB_FETCH_FILTER_LIST feature. This issue allowed attackers to bypass path-based blocklists by matching configured host entries against URL strings without adhering to label boundaries. Consequently, this made it feasible for malicious URLs with sibling-domain patterns to exploit the intended hostname policy, posing a significant security risk. The vulnerability is addressed in version 0.10.0, where the path-based blocking mechanism has been reinforced to prevent such bypass attempts.
Affected Version(s)
open-webui < 0.10.0
