CVE-2026-56400
Received Received - Intake

Cross-Origin Request Forgery in Open WebUI

Vulnerability report for CVE-2026-56400, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
open-webui open-webui to 0.3.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56400 is a critical vulnerability in open-webui versions before 0.3.14. It involves two flaws: a CORS misconfiguration allowing arbitrary origins and a session management issue where cookies aren't invalidated on logout. Attackers can exploit this to execute remote code with root privileges by tricking an admin into visiting a malicious site.

Impact Analysis

If you use open-webui in a Docker environment, an attacker could gain full control of your instance. This could lead to data theft, unauthorized access, or further network compromise. The attack requires an admin to visit a malicious site, making phishing a likely vector.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection requirements and HIPAA's security rules. Non-compliance risks include fines, legal action, and reputational damage due to potential data breaches.

Detection Guidance

Check open-webui version with: docker exec <container_name> cat /app/open-webui/version.txt. If version is below 0.3.14, the system is vulnerable. Inspect CORS settings in the application configuration files for overly permissive allow_origins=*. Monitor network traffic for unauthorized requests to /api/v1/functions endpoint from external origins.

Mitigation Strategies

Upgrade open-webui to version 0.3.14 or later immediately. Remove the overly broad CORS configuration by replacing allow_origins=* with specific allowed origins. Ensure session cookies are invalidated upon logout by checking authentication middleware settings. Restart the application after changes to apply fixes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56400. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart