What happened
Prior to Open WebUI 0.9.6, the chat message listener accepts non-same-origin postMessage events of type input:prompt and action:submit. An external site visited in the same browser session can silently set the prompt text and trigger submitPrompt() in an authenticated victim's Open WebUI tab, causing arbitrary prompts to be sent to the AI model without user action. CVSS 7.1 High, published 2026-06-23.
Why it matters
This is a cross-origin prompt injection attack: any website can take control of an authenticated Open WebUI session and submit arbitrary prompts to the LLM, extract responses, pivot through agent tools, or exfiltrate chat history — without the user's knowledge or interaction. Open WebUI has hundreds of thousands of self-hosted deployments.
Attack vector
Attacker-controlled webpage uses window.postMessage({type:'input:prompt', data:'...'}) followed by {type:'action:submit'} targeting an Open WebUI tab in the same browser; triggers prompt submission in authenticated session
Affected systems
Open WebUI < 0.9.6
Mitigation
Upgrade to Open WebUI 0.9.6. Advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55