Detection Guidance

This vulnerability involves unauthorized cross-origin POST requests to Open WebUI endpoints such as /api/v1/chats/new and /api/chat/completions. Detection can focus on monitoring for unexpected or suspicious POST requests to these API endpoints originating from external or untrusted sources.

Network or system administrators can inspect web server logs or use network monitoring tools to identify such requests. For example, commands to search logs for suspicious POST requests might include:

• grep 'POST /api/v1/chats/new' /var/log/nginx/access.log
• grep 'POST /api/chat/completions' /var/log/nginx/access.log

Additionally, monitoring for cross-origin postMessage events or unusual browser activity related to Open WebUI sessions may help detect exploitation attempts, though specific commands for this are not detailed in the provided information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-54007 is a high-severity vulnerability in Open WebUI versions 0.9.5 and earlier. It involves a flaw in the chat message listener that allows cross-origin messages of types 'input:prompt' and 'action:submit' to be processed without proper same-origin validation. This means an attacker can create a malicious external website that sends messages to the victim's authenticated Open WebUI session, setting prompt text and triggering prompt submission without the victim's consent.

The vulnerability enables an attacker to silently inject prompts and execute model or tool actions (such as code interpreter, web search, or terminal commands) under the victim's privileges. This happens because the listener does not enforce strict origin checks, allowing unauthorized API calls like POST /api/v1/chats/new and POST /api/chat/completions to be made in the victim's session.

Exploitation requires the victim to visit a malicious page while authenticated to Open WebUI. Unlike other message types that require user confirmation, this vulnerability bypasses any confirmation dialogs, making the attack stealthy and effective.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to execute unauthorized actions under a victim's authenticated session without their consent, impacting system integrity.

Such unauthorized actions could lead to data manipulation or exposure, which may conflict with compliance requirements in standards like GDPR or HIPAA that mandate data protection and user consent.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability impacts system integrity by allowing an attacker to perform unauthorized actions within the victim's authenticated Open WebUI session without their knowledge or consent.

• An attacker can inject and execute arbitrary prompts and commands, potentially triggering model or tool executions such as code interpreters, web searches, or terminal commands.
• Unauthorized API requests can be made under the victim's credentials, which could lead to data manipulation or leakage depending on the victim's privileges.
• Because the attack bypasses user confirmation, it can be executed silently, increasing the risk of unnoticed compromise.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Open WebUI to version 0.9.6 or later, where this vulnerability has been fixed by enforcing strict same-origin validation on chat message listeners.

Until the upgrade can be applied, consider restricting access to the Open WebUI instance to trusted networks or users only, to reduce the risk of cross-origin attacks.

Additionally, educating users to avoid visiting untrusted or malicious websites while authenticated to Open WebUI can help prevent exploitation.

Useful 0 Not Useful 0