open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 15 Jul 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests from attacker-controlled websites when an admin user visits them. | |
| Title | open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation | |
| First Time appeared |
Openwebui
Openwebui open Webui |
|
| Weaknesses | CWE-613 | |
| CPEs | cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openwebui
Openwebui open Webui |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T11:25:31.421Z
Reserved: 2026-06-21T12:37:58.435Z
Link: CVE-2026-56400
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses