CVE-2026-56400
Open WebUI · Open WebUI
A vulnerability in Open WebUI involving insufficient session expiration allows for potential unauthorized access.
Executive summary
An insufficient session expiration vulnerability in Open WebUI exposes the platform to unauthorized access and potential remote code execution.
Vulnerability
This vulnerability is caused by insufficient session expiration (CWE-613), which, when combined with CORS misconfigurations, allows an unauthenticated attacker to bypass security controls.
Business impact
The potential impact of this vulnerability is critical, as it could lead to full system compromise, including unauthorized access to data and the execution of arbitrary code on the host server. With a CVSS score of 8.3, this represents a significant threat to organizational data integrity and system availability.
Remediation
Immediate Action: Update the Open WebUI package to version 0.3.33 or later to apply the necessary security fixes.
Proactive Monitoring: Monitor server logs for unusual session activity or unauthorized access attempts originating from unexpected origins.
Compensating Controls: Implement strict CORS policies at the network level and restrict access to the web interface to trusted IP addresses using a reverse proxy or VPN.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the potential for remote code execution and the confirmed existence of proof-of-concept material, administrators should prioritize updating Open WebUI immediately. Failure to patch creates a high-risk exposure point that could be leveraged by attackers to gain control over the application environment.