CVE-2026-54007 open-webui CVE debrief

Who should care

Security teams and administrators of Open WebUI instances should be aware of this vulnerability. If Open WebUI is used in an environment where users have access to sensitive data or systems, defenders should prioritize patching to version 0.9.6 or later. Additionally, defenders should monitor for suspicious activity and implement compensating controls to detect and prevent exploitation.

Technical summary

The vulnerability exists in the chat message listener of Open WebUI, which allows non-same-origin input:prompt and action:submit messages. This enables an external site to set prompt text and trigger submitPrompt() in an authenticated victim session, leading to cross-site forced actions and model/tool execution under victim privileges. The issue arises from inadequate origin checks on incoming messages. The vulnerability is characterized by CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, with a CVSS score of 7.1 and HIGH severity.

Defensive priority

Defenders should prioritize patching Open WebUI to version 0.9.6 or later. In the interim, defenders can implement network access controls and monitor for suspicious activity.

Recommended defensive actions

• Patch Open WebUI to version 0.9.6 or later
• Implement network access controls to restrict access to Open WebUI
• Monitor for suspicious activity and implement compensating controls to detect and prevent exploitation
• Conduct a thorough review of Open WebUI configurations and user privileges
• Consider implementing additional security measures, such as web application firewalls or intrusion detection systems

Evidence notes

The vulnerability was reported and patched in version 0.9.6. The CVE record and NVD detail provide additional information on the vulnerability. The source item URL provides further details on the vulnerability and its mitigation.

Official resources