CVE Catalog

CVE-2026-54007

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

Open WebUI before version 0.9.6 has a vulnerability where the chat message listener accepts `input:prompt` and `action:submit` messages from non-same-origin sources. An external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session, leading to unauthorized POST requests to API endpoints.

Risk Assessment

An attacker can force the victim to perform unwanted actions, such as creating new chats and sending queries to AI models, using the victim's privileges without consent. This could lead to data confidentiality breaches or uncontrolled resource usage.

Recommendation

Immediately update Open WebUI to version 0.9.6 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent. This vulnerability is fixed in 0.9.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS