PT-2026-50479 · Pypi · Open-Webui
Publicado
2026-06-17
·
Atualizado
2026-06-17
·
CVE-2026-54007
CVSS v4.0
7.1
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
The chat message listener allows non-same-origin
input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.Details
The chat page's window message listener in
src/lib/components/chat/Chat.svelte processes message types including input:prompt and action:submit without adequately enforcing same-origin restrictions. Based on code around lines ~597-616, input text is set directly from event.data.text; action:submit proceeds to submitPrompt() on the current prompt. The logic does not apply a strict origin allowlist and permits non-same-origin control of the chat input and submission flow, leading to cross-origin command execution in the victim's authenticated UI context. As a result, backend API calls (e.g., POST /api/v1/chats/new, POST /api/chat/completions) are sent under victim credentials.Normally, via the
input:prompt:submit postMessage type, this results in a "Confirm Prompt from Embed" confirmation dialog:However, combining the two other types, it is possible to achieve the same effect without this confirmation:
PoC
- Set up a local Open WebUI instance and log in to it, making sure a model is configured
- Host the following HTML anywhere and visit it (optionally change http://127.0.0.1:14000 to your instance Base URL):
html
<h1>Click anywhere</h1>
<script>
function sleep(ms) {
return new Promise(r => setTimeout(r, ms));
}
onclick = async () => {
w = window.open('http://127.0.0.1:14000');
await sleep(2000);
w.postMessage({ type: 'input:prompt', text: "INJECTED PROMPT" }, '*');
await sleep(500);
w.postMessage({ type: 'action:submit' }, '*');
}
</script>- Click anywhere on the page, then notice without further interaction the "INJECTED PROMPT" is executed on the Open WebUI instance
Impact
Conditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).
This issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.
Original Agent Report
Correção
Origin Validation Error
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Open-Webui