GHSA-6xcp-7mpr-m7wm: Open WebUI has a CORS misconfiguration and session validation issue

May 11, 2026

Due to a CORS misconfiguration and session validation issue, an attacker may be able to perform a 1 click attack against browsers with admin access to openwebui, resulting in remote code execution in the openwebui instance. The openwebui application runs as root in Docker container’s default setup, which allows for complete compromise of the container.

References

github.com/advisories/GHSA-6xcp-7mpr-m7wm
github.com/open-webui/open-webui/security/advisories/GHSA-6xcp-7mpr-m7wm

Code Behaviors & Features

Detect and mitigate GHSA-6xcp-7mpr-m7wm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →