EXECUTIVE SUMMARY:
Multiple security vulnerabilities affecting pip:open-webui versions - `main` affecting pip:open-webui versions Vulnerable: `<= 0 affecting pip:open-webui versions this shared-chat branch is not gated on `access_type` (the grant lookup hardcodes `permission='read'`, but nothing checks that the request itself is a read) have been identified in pip:open-webui, affecting versions <= 0.9.5 and potentially leading to cross-origin command execution, unauthorized API calls, cross-user file read and deletion, stored XSS, and path traversal/SSRF. The overall risk is high, with potential for account takeover and data exposure.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities affecting pip:open-webui versions - `main` affecting pip:open-webui versions Vulnerable: `<= 0 affecting pip:open-webui versions this shared-chat branch is not gated on `access_type` (the grant lookup hardcodes `permission='read'`, but nothing checks that the request itself is a read) have been identified in pip:open-webui, affecting versions <= 0.9.5 and potentially leading to cross-origin command execution, unauthorized API calls, cross-user file read and deletion, stored XSS, and path traversal/SSRF. The overall risk is high, with potential for account takeover and data exposure.[emaillocker id="1283"]
CVE-2026-54007 (CVSS 7.1 — High): A cross-origin postMessage confirmation bypass vulnerability exists in Open WebUI via action:submit, allowing an external site to set prompt text and trigger submitPrompt in an authenticated victim session.
CVE-2026-54008 (CVSS 8.5 — High): An SSRF redirect-bypass vulnerability is present in Open WebUI's OAuth _process_picture_url, potentially leading to unauthorized API calls.
CVE-2026-54010 (CVSS 8.3 — High): A forged chat-file link allows cross-user file read and deletion in Open WebUI.
CVE-2026-54011 (CVSS 8.7 — High): Stored XSS exists in Mermaid Markdown Preview in Open WebUI, potentially leading to account takeover.
CVE-2026-54012 (CVSS 7.1 — High): A forged model meta.knowledge allows cross-user file read and deletion in Open WebUI.
CVE-2026-54013 (CVSS 7.6 — High): Stored XSS to Account Takeover via Model Profile Images exists in Open WebUI.
CVE-2026-54017 (CVSS 7.7 — High): Path traversal/SSRF in terminal server proxy via encoded path traversal is present in Open WebUI.
CVE-2026-54018 (CVSS 7.7 — High): SSRF protection bypass in Playwright Web Loader via HTTP redirects exists in Open WebUI.
CVE-2026-45401: An incomplete-fix sibling of CVE-2026-54008, an SSRF redirect-bypass vulnerability is present in Open WebUI's OAuth _process_picture_url.
CVE-2026-45338 (GHSA-24c9) | `_process_picture_url` had no `validate_url` call at all | Fixed in v0.9.0 by adding the call.
CVE-2026-45400 (GHSA-8w7q) | `validate_url` had urlparse-vs-requests parser disagreement on `\@` chars | Fixed in v0.9.5 by char-blocklist. These vulnerabilities collectively present a high risk to users and administrators. Administrators should review their exposure and apply updates. These vulnerabilities collectively present a high risk to users and administrators.
These vulnerabilities collectively present a high risk to users and administrators.
RECOMMENDATION:
We recommend you to update pip:open-webui to version 0.9.6.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-f3g7-59qc-pqg6
https://github.com/advisories/GHSA-3vv5-8xxp-4f55
https://github.com/advisories/GHSA-vrhc-3fr6-pc3c
https://github.com/advisories/GHSA-vjqm-6gcc-62cr
https://github.com/advisories/GHSA-v2qm-5wxj-qhj7
https://github.com/advisories/GHSA-226f-f24g-524w
https://github.com/advisories/GHSA-v8qj-hxv7-mgvv
[/emaillocker]