What happened
Open WebUI backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter, allowing query injection to manipulate the terminal backend connection.
Why it matters
Open WebUI is a widely self-hosted AI chat platform; this flaw in its terminal-proxy feature allows manipulation of backend WebSocket routing, potentially enabling session confusion or unauthorized terminal access in multi-user deployments.
Attack vector
Unencoded session_id used to build upstream terminal WebSocket URL allows query-string injection to redirect or manipulate the backend connection
Affected systems
Open WebUI < 0.10.0
Mitigation
Upgrade to Open WebUI ≥0.10.0