Authentication Bypass by Spoofing in Open WebUI - #VU136848
Published: July 3, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to spoof another user's identity to access that user's terminal scope.
The vulnerability exists due to authentication bypass by spoofing in the terminal proxy in backend/open_webui/routers/terminals.py when forwarding terminal identity to the upstream terminal server or backend coordinator. A remote user can supply crafted terminal requests or a crafted session_id value to make the upstream resolve a spoofed user identity and access that user's terminal scope.
On the WebSocket path, exploitation can allow attaching to a live PTY when a valid active session ID is known, such as one exposed through a shared chat.