Open WebUI Code Injection Vulnerability in Direct Connections Feature Allowing Cross-Site Scripting and Remote Code Execution

A code injection vulnerability has been identified in Open WebUI, an offline artificial intelligence platform, in versions through 0.6.224. The issue resides in the Direct Connections feature, which allows external model servers to execute arbitrary JavaScript in the browsers of users who have enabled this feature. The vulnerability is exploited via Server-Sent Events (SSE) that are not properly validated, leading to theft of authentication tokens and complete account takeovers. Furthermore, when combined with the Functions API, it enables remote code execution on the backend server. The attack requires the victim to activate Direct Connections and to add a malicious model URL, a task that can be accomplished through social engineering.

Impact

Exploitation of this vulnerability allows for unauthorized execution of JavaScript in the victim's browser, leading to theft of authentication tokens. Once a token is obtained, especially an admin token, it can be used to access sensitive functions and data within Open WebUI. Additionally, according to the vulnerability report, this token theft can be chained with a separate vulnerability in the Functions API to achieve remote code execution on the backend server.

Reproduction

To reproduce this vulnerability, first ensure that Open WebUI version 0.6.224 or prior is running. Then, log in as an admin and navigate to the Direct Connections settings. Enable the Direct Connections feature and add a connection with a malicious model URL. Once the connection is established, select the model in the Open WebUI chat interface and send a message. This action will trigger the injection of a malicious SSE event that executes JavaScript in the browser, stealing the authentication token and exfiltrating it to the attacker's server. The stolen token can then be used to gain unauthorized access to the user's account, including admin privileges if the token belongs to an admin user.

Remediation

Users can update to Open WebUI version 0.6.35 or later, where this vulnerability has been patched.