{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/session-management/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui"],"_cs_severities":["high"],"_cs_tags":["cors","rce","session-management","open-webui"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA critical vulnerability exists in Open WebUI version v0.3.10 due to a combination of CORS misconfiguration (GHSL-2024-174) and session management flaws (GHSL-2024-175). The CORS misconfiguration on multiple API endpoints allows arbitrary websites to make authenticated cross-site requests to Open WebUI. When combined with the failure to invalidate session cookies upon logout, this allows an attacker to perform a one-click attack, potentially gaining remote code execution on the Open WebUI instance.  The application, by default, runs as root within a Docker container, escalating the impact to a full container compromise.  This vulnerability affects users who have admin access to the \u003ccode\u003e/api/v1/functions\u003c/code\u003e endpoint, allowing execution of arbitrary code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious website (\u003ccode\u003eattacker.com\u003c/code\u003e) containing JavaScript code that exploits the CORS misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker lures an Open WebUI administrator to visit the malicious website.\u003c/li\u003e\n\u003cli\u003eThe JavaScript on the attacker\u0026rsquo;s website bypasses CORS restrictions due to the \u003ccode\u003eallow_origins=[\u0026quot;*\u0026quot;]\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eThe malicious script sends an authenticated POST request to the \u003ccode\u003e/api/v1/functions/create\u003c/code\u003e endpoint, creating a malicious filter. This step requires the user to have an active Open WebUI session.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s script then sends another POST request to \u003ccode\u003e/api/v1/functions/id/{filter_id}/toggle\u003c/code\u003e to activate the newly created filter, executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code injected by the filter executes a command (e.g., \u003ccode\u003ewhoami\u003c/code\u003e) and writes the output to a file (\u003ccode\u003e/tmp/whoami.txt\u003c/code\u003e) on the Open WebUI server.\u003c/li\u003e\n\u003cli\u003eBecause Open WebUI reuses session cookies after logout, the attacker can potentially regain access even if the admin has logged out, provided the browser hasn\u0026rsquo;t been closed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the Open WebUI server, with the potential to fully compromise the Docker container due to the default root user context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Open WebUI server. Given the default configuration where Open WebUI runs as root within a Docker container, this can lead to a complete compromise of the container and potentially the host system. The vulnerability affects any Open WebUI instance with an administrator who visits the malicious website, making it a widespread risk. The lack of session invalidation post-logout increases the window of opportunity for attackers, even if the admin user is no longer actively using the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eModify the Open WebUI CORS configuration to remove the permissive \u003ccode\u003eallow_origins=[\u0026quot;*\u0026quot;]\u003c/code\u003e and implement a more restrictive policy. Allow dynamic setup of allowed origins via the administration panel or a configuration file, as described in the remediation guidance for GHSL-2024-174.\u003c/li\u003e\n\u003cli\u003eImplement proper session invalidation upon logout. Ensure new cookies are generated for every session, and invalidate/remove previous session cookies from the browser\u0026rsquo;s storage upon logout, as described in the remediation guidance for GHSL-2024-175.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Open WebUI Function Creation via API\u0026rdquo; to identify potential exploitation attempts targeting the \u003ccode\u003e/api/v1/functions/create\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:05:41Z","date_published":"2026-05-11T14:05:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-cors-rce/","summary":"Open WebUI version v0.3.10 has a CORS misconfiguration and session validation issue that can lead to remote code execution due to a one-click attack against admin users.","title":"Open WebUI CORS Misconfiguration and Session Validation Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-cors-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Session-Management","version":"https://jsonfeed.org/version/1.1"}