Open WebUI Agent Security Risks

General Assistant Agents openwebui.com Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (3) ATTACK SURFACE (7.64) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
5.07
High
Attack Surface
7.64
Critical
Blast Radius
7.75
Critical
Defense Controls
3
Critical
About The Agent

Open WebUI is a self-hosted AI chat platform deployed via Docker, connecting to Ollama or OpenAI-compatible LLM endpoints with built-in RAG, persistent memory, code execution, and a community tool marketplace. Its default configuration runs as root in a Docker container with CORS allowing all origins, workspace tools that execute arbitrary Python on the server, and no input or output filtering. The platform carries nine CVEs and fifteen GHSAs across input handling, data access, output rendering, tool execution, and access control, with multiple demonstrated exploitation chains reaching one-click remote code execution.

About the AI Risk Quadrant

Exposed Giants reflects Open WebUI's combination of high attack surface (X = 7.64) driven by six surfaces carrying confirmed CVEs with evidence penalties, high blast radius (Y = 7.75) from root-level code execution and unrestricted network access with confirmed SSRF, and minimal vendor-shipped defenses (Z = 3/15) limited to basic container isolation and partial RBAC. Operators deploying Open WebUI in production should treat hardening as mandatory before exposing the instance beyond a trusted private network.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Open WebUI ships with no input filtering, unsandboxed server-side code execution, no output guardrails, and only basic file logging on its default Docker deployment.

Key Input Risks
Open WebUI ingests user prompts, file uploads, URL content, community-imported tools, webhook payloads, and model descriptions with no input filtering or prompt injection detection on the default configuration. The default CORS policy allows all origins, amplifying every input vulnerability to cross-origin exploitation. Stored XSS via rich-text prompt injection (CVE-2025-64495) confirmed the input surface is exploitable without authentication bypass. [1][11]
Key Execution Risks
Workspace Tools and admin Functions execute arbitrary Python directly on the server process, which runs as root in the default Docker container. A CORS misconfiguration chain (GHSA-6xcp-7mpr-m7wm) demonstrated one-click RCE through Function creation with no sandbox boundary on the default configuration. [4][10]
Key Action Risks
Model-invoked tool calls fire within conversation turns without per-action operator approval on the default configuration, including web search, URL fetching, and memory writes. Disable workspace tool creation via the admin panel or restrict it to operator-managed functions to narrow this surface. The highest-blast-radius scope is full server-process access via workspace tools, with confirmed SSRF bypass reaching internal services. [7][14]
Key Output Risks
Open WebUI renders rich HTML and markdown output including iFrame embeds, with DOMPurify sanitization that has been repeatedly bypassed across multiple releases. Stored XSS via iFrame embeds in shared chats (CVE-2026-26193) allows untrusted output to reach downstream consumers through the shareable chat feature. [5][11]
Key Monitoring Risks
Open WebUI writes basic logs to backend/data/logs; no active monitoring, alerting, SIEM forwarding, or anomaly detection is configured by default. Tool invocations, memory writes, and model-managed operations are silent in the default audit trail, leaving the operator blind to exploitation. [15]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Open WebUI's AIRQ score quantifies the gap between its broad attack surface and minimal default defenses.

AIRQ Metrics

Open WebUI lands in the Exposed Giants quadrant with X = 7.64, Y = 7.75, and Z = 3: deployable only after hardening egress, sandboxing code execution, and restricting CORS, because the default configuration exposes root-level RCE to any cross-origin attacker.

Each axis measures a distinct risk dimension: Attack Surface out of 10, Blast Radius out of 10, Defense Controls out of 15, and AIRQ composite out of 15.

Metric Score Comments
AIRQ Score 5.07 Low AIRQ indicates high risk relative to defenses, making hardening an immediate priority for any production deployment.
Blast Radius 7.75 / 10 Root-level code execution, unrestricted network with confirmed SSRF (CVE-2026-45400), and container file system overwrite (CVE-2026-28788) drive the blast score.
Attack Surface 7.64 / 10 Six of ten surfaces carry confirmed CVEs with evidence penalties; all three trifecta conditions are active.
Defense Controls 3 / 15 No input or output guardrails on the default configuration; only basic container isolation and partial RBAC are vendor-shipped.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Open WebUI's reasoning loop accepts untrusted content from web UI prompts, file uploads, URL fetching, community marketplace imports, and webhook payloads.

Attack Surface Metrics

Higher scores indicate broader exposure; six surfaces reach the maximum after applying CVE-based evidence penalties.

Each row maps one attack surface to its adjusted score and a comment citing the agent-specific evidence.

Surface Score Comments
User Input 5 / 4 Web UI, API, file uploads, webhooks, marketplace imports, and model descriptions all carry untrusted content with no input filtering; CVE-2025-64495 confirmed stored XSS via prompt injection. [1]
External Data 5 / 4 RAG pipeline ingests uploaded files, web URLs, and YouTube transcripts; CVE-2026-28788 enables cross-user file overwrite, and GHSA-4g37-7p2c-38r9 bypasses knowledge base access controls. [2][8]
Memory 5 / 4 Persistent cross-session memory with model-managed tools and no integrity verification; CVE-2026-45349 allowed cross-user chat history access. [3]
Reasoning 2 / 4 Model-agnostic architecture delegates reasoning to interchangeable external LLMs with no vendor-specific reasoning chain controls. [14]
Planning 2 / 4 Multi-step tool calling within user-supervised sessions with no autonomous task decomposition or scheduling capabilities. [14]
Tool Execution 5 / 4 Workspace tools execute arbitrary Python on the server as root; GHSA-6xcp-7mpr-m7wm demonstrated one-click RCE via admin Function creation. [4]
Orchestration 2 / 4 Pipelines run as a separate Docker service processing filter chains and function workflows with no background scheduling or cross-session persistence. [18]
Inter-Agent 0 / 4 No inter-agent protocol, no MCP connectivity, and no agent-to-agent messaging, which eliminates lateral-movement risk from compromised peer agents. [12]
Output Processing 5 / 4 DOMPurify sanitization repeatedly bypassed; stored XSS via iFrame embeds (CVE-2026-26193) weaponizes shared chats for account takeover. [5]
Configuration 5 / 4 CORS defaults to allow all origins, community marketplace provides one-click import with no code signing, and CVE-2026-34222 exposed API keys to non-admins. [6]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Open WebUI accepts untrusted content from multiple channels, reads persistent memory and knowledge bases containing sensitive data, and sends outbound HTTP requests through web search and URL fetching integrations.

Lethal Trifecta · Complete (3 of 3)

Open WebUI exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Every user-facing channel — chat prompts, document uploads, fetched URLs, one-click marketplace imports, and inbound webhooks — feeds untrusted bytes directly into the reasoning loop. [1]
  • Sensitive data — Persistent memory, chat histories, knowledge base documents, and API keys in Tool Valves are all accessible to the agent process. [6][8]
  • External egress — Outbound HTTP via web search integrations, URL fetching, and RAG processing, with confirmed SSRF bypass reaching internal services. [7][9]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Open WebUI instance reaches root-level code execution, unrestricted network access with confirmed SSRF, and full container file system.

Blast Radius Metrics

Higher blast scores indicate broader damage reach; code execution, file system, and network all reach the maximum.

Each row maps one blast factor to the scope of damage an attacker gains after compromising the agent.

Factor Score Comments
Code execution 4 / 4 Workspace tools and Functions execute arbitrary Python as root in the default Docker container; GHSA-6xcp-7mpr-m7wm demonstrated full RCE. [4]
File system access 4 / 4 Root access in the Docker container grants read-write to all container directories; CVE-2026-28788 confirmed file overwrite via RAG batch processing. [2]
Network access 4 / 4 Unrestricted outbound HTTP with confirmed SSRF bypass via CVE-2026-45400 and IPv6 bypass via GHSA-4v7r-f4w8-8972 reaching internal services. [7][9]
Credential access 3 / 4 API keys stored in Tool Valves are accessible to non-admin users via CVE-2026-34222; root-level server process has access to environment variables containing LLM provider keys. [6]
Autonomous action 2 / 4 Model-invoked tool calls fire within conversations without per-action approval per the RBAC permission model, but no scheduled or background autonomous actions exist. [17]
Deployment access 1 / 4 No deployment, CI/CD, or infrastructure management capabilities, so blast is contained to the runtime container and does not propagate to build pipelines or cloud accounts. [12]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Open WebUI provides no vendor-shipped prompt filtering or response sanitization beyond DOMPurify; the only active defenses are Docker-level process isolation and a role-based permission model.

Defense Controls Metrics

Higher defense scores indicate stronger vendor safeguards; Open WebUI scores 3 of 15 possible points.

Each component is scored based on vendor-implemented controls on the default configuration, not operator-managed hardening.

Component Score Comments
Input Guardrails 0 / 3 No prompt shield, no injection detection, and no instruction hierarchy on the default configuration per the vendor security policy. [12]
Execution Isolation 1 / 3 Default Docker runs as root with unrestricted network [13]; Pyodide browser sandbox is opt-in [16]; gVisor sandbox is a third-party add-on not bundled with the platform [16].
Action Controls 1 / 3 RBAC restricts tool creation to admins but no per-action approval gate exists for model-invoked calls; permissions are additive. [14][17]
Output Guardrails 0 / 3 No DLP, no credential redaction, and no exfiltration blocking; session tokens stored in LocalStorage are vulnerable to theft via any XSS chain, per the vendor security policy. [12]
Monitoring 1 / 3 Basic file-based logging with no active monitoring, SIEM forwarding, or anomaly detection per vendor documentation. [15]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the three-way exposure by restricting egress, sandboxing code execution, and adding input filtering.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require manual review of all community-imported tools, functions, and pipelines before enabling them in production.
  • Configuration Set CORS_ALLOW_ORIGINS to restrict allowed origins to trusted domains instead of the default wildcard, eliminating the cross-origin attack path exploited by GHSA-6xcp-7mpr-m7wm.
  • Engineering Deploy a reverse proxy with a prompt injection classifier upstream of the Open WebUI API endpoints.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Restrict workspace tool and function creation to a dedicated security-reviewed admin account only.
  • Configuration Deploy the safe-code-execution gVisor sandbox add-on and disable the default unsandboxed code execution backend.
  • Engineering Run the Docker container as a non-root user (--user 1000:1000), drop all capabilities except NET_BIND_SERVICE, and mount the root filesystem read-only with a writable tmpfs for /tmp and /app/backend/data.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Establish a formal approval process for enabling new tool integrations and model connections in production.
  • Configuration Disable workspace tool creation for all users and restrict function creation to operator-managed functions.
  • Engineering Implement a tool invocation proxy that logs and rate-limits model-initiated tool calls before execution.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Disable shared chat links in production deployments to prevent stored XSS distribution via shareable URLs.
  • Configuration Deploy a reverse proxy (nginx or Traefik) that intercepts Set-Cookie headers and rewrites JWT tokens from LocalStorage to HttpOnly Secure cookies, preventing XSS-based token theft without modifying Open WebUI source.
  • Engineering Deploy a content security policy header restricting inline scripts and frame-ancestors to block XSS chains.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require weekly review of server logs for tool invocations from non-admin users and unexpected memory write operations that may indicate prompt injection persistence.
  • Configuration Forward Open WebUI logs to a centralized SIEM platform via a syslog forwarder or log shipping agent.
  • Engineering Instrument tool execution and memory management endpoints with structured audit logging and anomaly alerting.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-64495 stored XSS via prompts CVSS 8.7; patched 0.6.35
  2. CVE-2026-28788 file overwrite in RAG CVSS 7.1; patched 0.8.6
  3. CVE-2026-45349 cross-user chat access CVSS 7.1; patched 0.9.0
  4. GHSA-6xcp-7mpr-m7wm CORS to RCE CVSS pending; 1-click RCE
  5. CVE-2026-26193 stored XSS via iframe CVSS 8.1; patched 0.6.44
  6. CVE-2026-34222 Tool Valves API keys CVSS 7.7; patched 0.8.11
  7. CVE-2026-45400 SSRF via URL parsing CVSS 8.5; patched 0.9.5
  8. GHSA-4g37-7p2c-38r9 IDOR KB bypass CVSS 7.5; Tenable disclosure
  9. GHSA-4v7r-f4w8-8972 SSRF IPv6 bypass CVSS pending; IPv6 bypass

Selected Research

  1. Helixar.ai CORS RCE chain CORS and session chain to RCE
  2. CyberPress SVG upload exploit SVG upload XSS-to-RCE chain

Vendor Documentation

  1. Open WebUI security policy GitHub-only disclosure process
  2. Open WebUI hardening guide Vendor assumes private trusted network; lists optional hardening steps
  3. Workspace Tools documentation Tool creation equals shell access
  4. Memory feature documentation Cross-session memory with tools

Other Sources

  1. Code execution environment docs Pyodide vs Open Terminal vs gVisor
  2. Authentication and access control RBAC and SSO/OIDC permissions
  3. Pipelines workflow processing Separate Docker service for filter and function pipelines