Inefficient regular expression complexity in Open WebUI - #VU135957
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in skill-mention regexes in backend/open_webui/utils/middleware.py when processing chat messages or retrieved content containing a skill-mention pattern without a closing >. A remote user can send a specially crafted chat message to cause a denial of service.
The affected regex processing runs synchronously on the asyncio event loop on every chat completion with no feature gate, and benign retrieved content such as a RAG chunk or tool output can also trigger the issue.