CVE-2026-54007: Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

June 17, 2026

The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.

References

github.com/advisories/GHSA-3vv5-8xxp-4f55
github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55
nvd.nist.gov/vuln/detail/CVE-2026-54007

Code Behaviors & Features

Detect and mitigate CVE-2026-54007 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →