All articles
Threat IntelligenceMay 2026·3 min read

Open WebUI Flaws Allow RCE via One-Click Attack

A CORS misconfiguration and session handling weakness in the popular LLM interface create a path for attackers to execute code on the underlying server.

Open WebUI Flaws Allow RCE via One-Click Attack
Illustration generated by Helixar Research Labs. Not a depiction of a real system, attack, or affected product.

At a Glance

GHSL-2024-174, GHSL-2024-175

Identifier

High

Severity

Network / Cross-Site

Attack Vector

Open WebUI

Affected Product

The GitHub Security Lab (GHSL) has reported two vulnerabilities in Open WebUI, a popular web interface for large language models. When combined, these flaws allow an attacker to achieve remote code execution (RCE) on the server running the application. The attack can be triggered by a single click from a logged-in administrator visiting a malicious website [1].

The Attack Chain

The attack begins with an attacker crafting a malicious webpage. This page contains JavaScript code designed to send requests to a target's Open WebUI instance. The attacker then tricks an administrator of that instance into visiting the malicious page. When the administrator clicks anywhere on the page, the exploit is triggered.

Due to the vulnerabilities, the attacker's script can make authenticated requests from the victim's browser. The script first uses the Open WebUI API to create a new "function," a feature intended for custom code execution within the platform. The content of this function is attacker-controlled code. The script then toggles this function on, causing the server to execute the malicious payload [1].

The default Docker installation of Open WebUI runs as the root user. This means a successful RCE attack results in a complete compromise of the container environment. From there, an attacker could attempt to pivot to other parts of the network [2].

OPERATOR ACTION

Update all Open WebUI instances to a patched version immediately and review your CORS origin policies.

Technical Cause: CORS and Session Flaws

The root of the attack lies in two distinct but related security issues. The first is a Cross-Origin Resource Sharing (CORS) misconfiguration. Open WebUI's backend was configured to allow requests from any origin (`*`) while also allowing credentials to be sent. This combination is insecure because it effectively tells web browsers to permit any website to make authenticated requests to the Open WebUI API on behalf of a logged-in user [1].

The second issue is a failure to properly invalidate user sessions upon logout. The application does not clear or invalidate session cookies when a user logs out. This means a session cookie remains valid as long as the user's browser is open. This flaw expands the attack window, as a victim does not need to be actively using Open WebUI at the time of the attack, only to have logged in previously during their browser session [1].

Impact on Agentic Systems

A compromise of Open WebUI is more than a typical web application breach. This tool acts as a primary control plane for interacting with and managing LLMs. For teams building agentic systems, it is a critical piece of development infrastructure. An attacker with RCE on this server has a privileged position to observe and manipulate the AI stack.

With control over the WebUI server, an attacker could steal proprietary models, intercept and alter prompts and responses, or inject malicious outputs from AI agents. They could poison data used for fine-tuning or retrieval-augmented generation (RAG). This vulnerability highlights how conventional web security flaws can have a magnified impact when they affect the rapidly growing AI toolchain.

References

  1. GitHub Security Advisory (GHSA-6xcp-7mpr-m7wm). https://github.com/advisories/GHSA-6xcp-7mpr-m7wm (accessed 2026-05-13).
  2. Vendor security advisory (github.com). https://github.com/open-webui/open-webui/security/advisories/GHSA-6xcp-7mpr-m7wm (accessed 2026-05-13).

About Helixar Research Labs

Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.

Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.

If you run agents in production, this is for you. Learn more at helixar.ai.

Back to Press