VYPR
\n```\n\n3. Click anywhere on the page, then notice without further interaction the \"INJECTED PROMPT\" is executed on the Open WebUI instance\n\n\"image\"\n\n### Impact\n\nConditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).\n\nThis issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.\n\n### Original Agent Report\n\n\"app","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-54007"]},"keywords":"CVE-2026-54007, high, Openwebui Open Webui","mentions":[{"@type":"SoftwareApplication","name":"Open Webui","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Openwebui"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-54007","item":"https://portal.vyprsec.ai/cves/CVE-2026-54007"}]}]}
← All advisories
High severity7.1NVD Advisory· Published Jun 17, 2026· Updated Jun 17, 2026

Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

CVE-2026-54007

Description

Summary

The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt() in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorized POST /api/v1/chats/new and POST /api/chat/completions requests containing attacker-controlled prompts. This enables cross-site forced actions and model/tool execution under victim privileges without consent.

Details

The chat page's window message listener in src/lib/components/chat/Chat.svelte processes message types including input:prompt and action:submit without adequately enforcing same-origin restrictions. Based on code around lines ~597-616, input text is set directly from event.data.text; action:submit proceeds to submitPrompt() on the current prompt. The logic does not apply a strict origin allowlist and permits non-same-origin control of the chat input and submission flow, leading to cross-origin command execution in the victim's authenticated UI context. As a result, backend API calls (e.g., POST /api/v1/chats/new, POST /api/chat/completions) are sent under victim credentials.

Normally, via the input:prompt:submit postMessage type, this results in a "Confirm Prompt from Embed" confirmation dialog:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L604-L622

However, combining the two other types, it is possible to achieve the same effect without this confirmation:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/Chat.svelte#L584-L602

PoC

  1. Set up a local Open WebUI instance and log in to it, making sure a model is configured
  2. Host the following HTML anywhere and visit it (optionally change http://127.0.0.1:14000 to your instance Base URL):
Click anywhere
  1. Click anywhere on the page, then notice without further interaction the "INJECTED PROMPT" is executed on the Open WebUI instance

Impact

Conditions required: The victim must be authenticated to Open WebUI in the browser (token cookie present).

This issue enables cross-site forced actions under the victim's identity. An attacker can silently inject prompts and trigger model/tool execution (e.g., code interpreter, web search, retrieval, terminal/tool servers) as the victim without confirmation.

Original

Agent Report

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing origin validation in the postMessage listener allows cross-origin injection and submission of chat prompts."

Attack vector

An attacker hosts a malicious page that opens the victim's Open WebUI instance in a popup or iframe. After a short delay, the attacker page posts a `{type:'input:prompt', text:'...'}` message followed by a `{type:'action:submit'}` message using `postMessage` with target origin `'*'` [ref_id=1]. Because the listener does not validate `event.origin`, the attacker-controlled prompt text is inserted into the chat input and immediately submitted via `submitPrompt()`, causing unauthorized API calls (`POST /api/v1/chats/new`, `POST /api/chat/completions`) under the victim's authenticated session [ref_id=2]. This is a cross-origin message injection and forced action vulnerability.

Affected code

The `message` event listener in `src/lib/components/chat/Chat.svelte` (lines ~584–602) handles `input:prompt` and `action:submit` types without checking `event.origin`. The `input:prompt` handler sets the chat input from `event.data.text` and the `action:submit` handler calls `submitPrompt(prompt)` unconditionally, bypassing the same-origin confirmation dialog that the `input:prompt:submit` type would trigger [ref_id=1].

What the fix does

The advisory does not include a published patch diff, but the recommended fix is to add a strict `event.origin` check (or an allowlist of trusted origins) inside the `message` event listener for the `input:prompt` and `action:submit` handlers [ref_id=1]. Without such a check, any cross-origin page can inject and submit prompts without user confirmation, defeating the existing confirmation dialog that was only applied to the `input:prompt:submit` type.

Preconditions

  • authVictim must be authenticated to Open WebUI in the browser (valid token cookie present)
  • networkAttacker page must be able to open the victim's Open WebUI instance in a popup or iframe (no X-Frame-Options or CSP restriction blocking it)
  • inputAttacker sends crafted postMessage payloads with type 'input:prompt' and 'action:submit'

Reproduction

1. Set up a local Open WebUI instance and log in, ensuring a model is configured. 2. Host the following HTML anywhere and visit it (change `http://127.0.0.1:14000` to your instance Base URL):

```html <h1>Click anywhere</h1> <script> function sleep(ms) { return new Promise(r => setTimeout(r, ms)); } onclick = async () => { w = window.open('http://127.0.0.1:14000'); await sleep(2000); w.postMessage({ type: 'input:prompt', text: "INJECTED PROMPT" }, '*'); await sleep(500); w.postMessage({ type: 'action:submit' }, '*'); } </script> ``` 3. Click anywhere on the page; the "INJECTED PROMPT" is executed on the Open WebUI instance without further interaction [ref_id=1].

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.