External risk intelligence

open-webui Cross-Origin Resource Sharing Misconfiguration Allows Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-56400

Open-webui is commonly deployed as a public-facing web application interface for interacting with large language models. As a web service intended to be accessed by users, it frequently occupies an internet-facing role, making its API endpoints reachable via standard browser-based requests.

Openwebui Open Webui

before 0.3.14

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a security vulnerability in the open-webui application, which allows for cross-origin resource sharing misconfigurations. The issue could permit attackers to execute arbitrary code on the affected instances through crafted web requests, particularly when an administrator user visits a malicious website.

  • Website configuration flaw allows code execution.
  • Affects applications providing AI interfaces.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by luring an administrator into visiting a compromised website. This website would send a specially crafted request to the vulnerable Open-WebUI instance, exploiting a misconfiguration in how it handles requests from different web origins. If successful, an attacker could potentially execute arbitrary code on the Open-WebUI server.

  • Requires attacker-controlled website.
  • Triggered by admin visiting malicious site.
  • Allows arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow an attacker to execute arbitrary code on the open-webui instance. This is possible if an authenticated user visits a malicious website, which then crafts cross-site requests to the application's API.

  • Arbitrary code execution on the instance.
  • Malicious website and authenticated user visit.
  • Compromise of the open-webui service.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Open WebUI application, particularly its API endpoints, should be owned by the team responsible for its deployment and ongoing management. This could be an infrastructure, platform, or application-specific team depending on how Open WebUI is integrated into your environment. The initial step is to inventory all Open WebUI instances, identify which are exposed to the internet or internal networks accessible by unauthenticated users, and confirm their business criticality before planning remediation.

  • Application or platform team owns remediation.
  • Verify internet-facing Open WebUI instances.
  • Plan updates or implement network controls.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Open WebUI?

Open WebUI is a self-hosted web application that provides a user-friendly interface for interacting with large language models. It acts as a gateway, allowing users to communicate with AI services through a browser-based dashboard rather than raw command-line tools.

What does CVE-2026-56400 mean for security?

This CVE involves a Cross-Origin Resource Sharing (CORS) misconfiguration. The software incorrectly allows requests from any website origin to reach its internal API. This weakness permits an attacker to trick a browser into performing unauthorized actions on the server on behalf of an authenticated user.

How is this vulnerability triggered?

An attacker must lure an administrator into visiting a malicious website. This site then sends a crafted request to the Open WebUI instance using the victim's active session. It is not triggered by direct public access to the API alone, but requires the social engineering step of an authenticated user clicking the link.

Is my instance at risk according to Halo Surface Signal?

Halo Surface Signal notes that Open WebUI is often deployed as a public-facing service to support user access to AI models. Because these API endpoints are frequently reachable via standard web traffic, instances accessible from the internet are at a higher likelihood of being targeted.

What should I do if I use Open WebUI?

First, inventory your environment to identify all active instances. Confirm which ones are reachable from the internet or internal networks. Once mapped, coordinate with your infrastructure or platform management teams to prioritize updates for those identified instances.

References