GHSA-3vv5-8xxp-4f55High

Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.

Details

The chat page's window message listener in src/lib/components/chat/Chat.svelte processes message types including input:prompt and action:submit without adequately enforcing same-origin restrictions. Based on code around lines ~597-616, input text is set directly from event.data.text; action:submit proceeds to submitPrompt() on the current prompt. The logic does not apply a strict origin allowlist and permits non-same-origin control of the chat input and submission flow, leading to cross-origin command execution in the victim's authenticated UI context. As a result, backend API calls (e.g., POST /api/v1/chats/new, POST /api/chat/completions) are sent under victim credentials.

Normally, via the input:prompt:submit postMessage type, this results in a "Confirm Prompt from Embed" confirmation dialog:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L604-L622

However, combining the two other types, it is possible to achieve the same effect without this confirmation:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L584-L602

PoC

  1. Set up a local Open WebUI instance and log in to it, making sure a model is configured
  2. Host the following HTML anywhere and visit it (optionally change http://127.0.0.1:14000 to your instance Base URL):
<h1>Click anywhere</h1>
<script>
  function sleep(ms) {
    return new Promise(r => setTimeout(r, ms));
  }
  
  onclick = async () => {
    w = window.open('http://127.0.0.1:14000');
    await sleep(2000);
    w.postMessage({ type: 'input:prompt', text: "INJECTED PROMPT" }, '*');
    await sleep(500);
    w.postMessage({ type: 'action:submit' }, '*');
  }
</script>
  1. Click anywhere on the page, then notice without further interaction the "INJECTED PROMPT" is executed on the Open WebUI instance

Impact

Conditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).

This issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.

Original Agent Report

🎯 Affected products1

  • pip/open-webui:<= 0.9.5

🔗 References (2)