Query Injection Vulnerability in Open WebUI Affects User Identity Integrity
CVE-2026-59224

8HIGH

Key Information:

Vendor

Open-webui

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59224?

Open WebUI, a self-hosted AI platform, contains a vulnerability that allows for query injection due to improper handling of user identifiers. Specifically, before version 0.10.0, the system constructs terminal URLs using an unencoded session_id and includes the user_id as a query parameter. This vulnerability can permit an attacker to manipulate the terminal backend into recognizing another user's identity. Additionally, the HTTP proxy path used for communications forwarded X-User-Id, which poses a risk as it does not properly validate identity claims. This issue has been addressed and fixed in version 0.10.0.

Affected Version(s)

open-webui < 0.10.0

References

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.