PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59224 open-webui CVE debrief

Open WebUI, a self-hosted AI platform, had a vulnerability prior to version 0.10.0. The issue was in the `terminals.py` file, where the `ws_terminal` upstream URL was built from an unencoded `session_id` and had `user_id` appended as a query parameter. This allowed for query injection, enabling the terminal backend to resolve another user's identity. The HTTP proxy path also forwarded `X-User-Id` as an integrity-unbound identity claim. The vulnerability is fixed in version 0.10.0. This issue could lead to unauthorized access to sensitive information or actions on behalf of the user.

Vendor
open-webui
Product
Unknown
CVSS
HIGH 8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Open WebUI, especially those hosting it themselves, should be aware of this vulnerability. If an attacker can inject malicious queries, they may be able to access another user's terminal session. This could lead to unauthorized access to sensitive information or actions on behalf of the user. Affected operator, platform, vulnerability-management, and security-team impact should be reviewed.

Technical summary

The vulnerability in Open WebUI's `terminals.py` file allowed for query injection due to an unencoded `session_id`. An attacker could potentially inject malicious queries to access another user's terminal session. The issue was exacerbated by the forwarding of `X-User-Id` as an integrity-unbound identity claim in the HTTP proxy path. This vulnerability has been fixed in version 0.10.0. Affected product deployments should be reviewed for exposure, and compensating controls should be implemented while remediation is scheduled and verified.

Defensive priority

High

Recommended defensive actions

  • Upgrade Open WebUI to version 0.10.0 or later
  • Review and monitor terminal sessions for suspicious activity
  • Implement additional security measures to protect against query injection attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-09T17:17:03.770Z and last modified on 2026-07-10T15:22:04.010Z. The NVD entry is currently Analyzed. Evidence from the CVE record and NVD entry indicates that Open WebUI, a self-hosted AI platform, had a vulnerability prior to version 0.10.0. The issue was in the `terminals.py` file, where the `ws_terminal` upstream URL was built from an unencoded `session_id` and had `user_id` appended as a query parameter. This allowed for query injection, enabling the terminal backend to resolve another user's identity. The HTTP proxy path also forwarded `X-User-Id` as an integrity-unbound identity claim. The vulnerability is fixed in version 0.10.0. Defenders should verify affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T17:17:03.770Z and has not been modified since then. The NVD entry is currently Analyzed.