mediumCVE-2026-59225

CVE-2026-59225 Open WebUI vulnerability

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The normal chat route resolves arena models before the final chat dispatch and therefore re-checks the selected underlying model. The task routes call utils.chat.generate_chat_completion() directly. In that direct path, arena fallback resolution happens after the wrapper access check and then recurses with bypass_filter=True, skipping the selected submodel's access check. This issue is fixed in version 0.10.0.

ProductOpen WebUI
CVSS5.4
EPSS0.00211
UpdatedJuly 12, 2026

Quick answer

Open WebUI should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Open WebUI >=0.8.12 <0.10.0

Fixed versions

  • 0.10.0

How to fix it

CVE-2026-59225 affects Open WebUI 0.8.12 before 0.10.0, where task endpoints could reach restricted underlying arena models after checking only the wrapper model access. Prioritize shared or internet-facing Open WebUI deployments because the issue can affect realtime sessions, model access, knowledge files, terminal proxy access, or sensitive settings depending on the endpoint. Upgrade Open WebUI to 0.10.0 or a later supported release. Restrict task endpoints and arena wrapper access while remediation is pending.

  1. Inventory all Open WebUI deployments, containers, workers, reverse proxies, realtime Socket.IO endpoints, terminal integrations, and configured model providers.
  2. Identify Open WebUI 0.8.12 before 0.10.0 and schedule an upgrade to Open WebUI 0.10.0 or later for CVE-2026-59225.
  3. Upgrade Open WebUI to 0.10.0 or a later supported release, rebuild images, restart services, and clear stale application caches where applicable.
  4. Restrict task endpoints and arena wrapper access while remediation is pending.
  5. Review Open WebUI roles, verified-user status, model permissions, knowledge base permissions, terminal connections, Redis token revocation, and provider credentials for unnecessary exposure.
  6. Review application, reverse proxy, Socket.IO, terminal backend, and audit logs for suspicious endpoint use matching the affected workflow.
  7. If credential or data exposure is suspected, revoke sessions and API keys, rotate provider credentials and webhooks, remove malicious content, and preserve request logs before cleanup.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm every Open WebUI deployment reports version 0.10.0 or later and that old images or services are no longer running.
  • Confirm task endpoints re-check access to the selected underlying model after arena fallback resolution.
  • Confirm authorization checks, token revocation, role checks, and response filtering match the intended policy for affected users and endpoints.
  • Run focused regression checks against the affected endpoint and confirm unauthorized or malformed requests fail safely.
  • Document patched image digests, configuration changes, credential rotation, log review, and test evidence.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-59225?

Open WebUI versions listed as affected should be reviewed: Open WebUI >=0.8.12 <0.10.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.