Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
🔗 CVE IDs covered (1)
📋 Description
Summary
The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.
Details
The chat page's window message listener in src/lib/components/chat/Chat.svelte processes message types including input:prompt and action:submit without adequately enforcing same-origin restrictions. Based on code around lines ~597-616, input text is set directly from event.data.text; action:submit proceeds to submitPrompt() on the current prompt. The logic does not apply a strict origin allowlist and permits non-same-origin control of the chat input and submission flow, leading to cross-origin command execution in the victim's authenticated UI context. As a result, backend API calls (e.g., POST /api/v1/chats/new, POST /api/chat/completions) are sent under victim credentials.
Normally, via the input:prompt:submit postMessage type, this results in a "Confirm Prompt from Embed" confirmation dialog:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L604-L622
However, combining the two other types, it is possible to achieve the same effect without this confirmation:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L584-L602
PoC
- Set up a local Open WebUI instance and log in to it, making sure a model is configured
- Host the following HTML anywhere and visit it (optionally change http://127.0.0.1:14000 to your instance Base URL):
<h1>Click anywhere</h1>
<script>
function sleep(ms) {
return new Promise(r => setTimeout(r, ms));
}
onclick = async () => {
w = window.open('http://127.0.0.1:14000');
await sleep(2000);
w.postMessage({ type: 'input:prompt', text: "INJECTED PROMPT" }, '*');
await sleep(500);
w.postMessage({ type: 'action:submit' }, '*');
}
</script>
- Click anywhere on the page, then notice without further interaction the "INJECTED PROMPT" is executed on the Open WebUI instance
Impact
Conditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).
This issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.
Original Agent Report
🎯 Affected products1
- pip/open-webui:<= 0.9.5