External risk intelligence

Open WebUI Stored Cross-Site Scripting Leads to Server-Side Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-59214

Open WebUI is a self-hosted web application designed as an interface for AI platforms. Such applications are commonly deployed as web services accessible over the internet to allow remote user access to AI chat features and administrative functions.

Cross-site Scripting

Openwebui Open Webui

before 0.10.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Open WebUI, a self-hosted AI platform, allows authenticated users to execute server-side code by clicking a "Run" button within a chat payload. The issue arises from how chat data is processed, potentially enabling access to administrative functions and commands.

  • Stored chat data can execute code on the server.
  • Affects self-hosted AI platforms.
  • Verify relevance and check exposure.

Attack Path

How an attacker could exploit the issue

An attacker can trick a logged-in user into clicking a "Run" button within Open WebUI. This action allows malicious code, hidden within a chat message, to execute authenticated requests to sensitive admin endpoints on the server by leveraging the platform's client-side Python environment.

  • Requires authenticated user interaction.
  • Triggered by user clicking "Run".
  • Risk of unauthorized server-side code execution.

Live Threat

Current exploitation, exposure, and threat context

When a user interacts with a vulnerable version of Open WebUI and clicks "Run" on a malicious chat payload, it can trigger authenticated, same-origin requests. These requests could potentially reach admin-only endpoints or execute server-side code through configured tools, when supported by the advisory.

  • Admin-only endpoints or server-side code.
  • Malicious payload execution via user interaction.
  • Unauthorized access and server-side actions.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Open WebUI product is a self-hosted AI platform, suggesting that infrastructure or platform teams are likely responsible for its deployment and maintenance. Initial actions should focus on identifying all instances of Open WebUI within the environment, assessing their reachability and business criticality, and locating the accountable owner before planning any remediation.

  • Identify affected technology instances and owners.
  • Verify instance reachability and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Open WebUI?

Open WebUI is a self-hosted platform that provides a user-friendly interface for interacting with various AI models. It is typically deployed by organizations to allow users to manage chat sessions, configure AI tools, and perform administrative tasks through a centralized web application.

What is the vulnerability in CVE-2026-59214?

This vulnerability is a Cross-Site Scripting (CWE-79) flaw. It occurs because the platform processes chat data in a way that allows malicious scripts to execute within the user's browser session. By tricking a user into running a payload, an attacker can make unauthorized requests that the application treats as legitimate, potentially reaching restricted server-side functions.

How is this vulnerability triggered?

The flaw is triggered when an authenticated user clicks a "Run" button on a malicious chat payload stored within the platform. It does not trigger automatically; the code execution relies on this specific user interaction. Requests sent simply by viewing a message or browsing the interface without manually triggering the payload component are not the primary vector for this issue.

Why should I care about this Open WebUI vulnerability?

According to Halo Surface Signal, Open WebUI is often deployed as a web service accessible over the internet to facilitate remote access. If your instance is reachable from outside your network, it could be exposed to unauthorized users who might attempt to leverage this flaw to access sensitive administrative endpoints or execute code on your server.

What should I do to secure my Open WebUI installation?

First, locate all instances of Open WebUI operating in your environment to understand your footprint. Verify the version you are running and confirm the business criticality of each instance. Coordinate with the team or owner responsible for the deployment to prioritize upgrading to version 0.10.0 or later, which contains the fix for this issue.

References