Ghostwire

CVE-2026-59220: Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the...

MEDIUM CVSS 0.0

Published: July 9, 2026 | Last Modified: July 9, 2026

Description

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed skill mentions with overlapping quantifiers, allowing an authenticated chat message containing to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References