CVE-2026-59220
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/07/2026
Last modified:
09/07/2026
Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILL_MENTION_RE and strip_re regular expressions in backend/open_webui/utils/middleware.py parsed skill mentions with overlapping quantifiers, allowing an authenticated chat message containing to trigger quadratic backtracking and block the asyncio event loop. This issue is fixed in version 0.10.0.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/open-webui/open-webui/commit/61a26722155ec6ee1b629cf8dfcf975098c18331
- https://github.com/open-webui/open-webui/releases/tag/v0.10.0
- https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw
- https://github.com/open-webui/open-webui/security/advisories/GHSA-ffpj-xv5c-p3gw



