github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #22715] [Security] eval() in config.py + CORS wildcard in Swagger UI #58461

New Issue
Closed
opened 2026-05-05 23:12:47 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-05-05 23:12:47 -05:00
Owner
Copy Link

Originally created by @hhhashexe on GitHub (Mar 16, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/22715

Found via SkillFence automated scan.

Finding 1: config.pyeval() dynamic code execution.

Finding 2: swagger-ui-bundle.js — CORS wildcard (*) pattern.

Finding 3: mineru.py — Authentication disabled pattern.

Recommendation:

  • Replace eval() with safe alternatives
  • Restrict CORS to specific origins
  • Enable auth by default

Scan: npx skillfence scan . (82 critical, 87 high)

Responsible disclosure via automated security scanning.

Originally created by @hhhashexe on GitHub (Mar 16, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/22715 Found via [SkillFence](https://npmjs.com/package/skillfence) automated scan. **Finding 1:** `config.py` — `eval()` dynamic code execution. **Finding 2:** `swagger-ui-bundle.js` — CORS wildcard (*) pattern. **Finding 3:** `mineru.py` — Authentication disabled pattern. **Recommendation:** - Replace eval() with safe alternatives - Restrict CORS to specific origins - Enable auth by default Scan: `npx skillfence scan .` (82 critical, 87 high) Responsible disclosure via automated security scanning.
GiteaMirror commented 2026-05-05 23:12:48 -05:00
Author
Owner
Copy Link

@pr-validator-bot commented on GitHub (Mar 16, 2026):

⚠️ Missing Issue Title Prefix

@hhhashexe, your issue title is missing a prefix (e.g., bug:, feat:, docs:).

Please update your issue title to include one of the following prefixes:

  • bug: Bug report or error you've encountered
  • feat: Feature request or enhancement suggestion
  • docs: Documentation issue or improvement request
  • question: Question about usage or functionality
  • help: Request for help or support

Example: bug: Login fails when using special characters in password

<!-- gh-comment-id:4064355995 --> @pr-validator-bot commented on GitHub (Mar 16, 2026): # ⚠️ Missing Issue Title Prefix @hhhashexe, your issue title is missing a prefix (e.g., `bug:`, `feat:`, `docs:`). Please update your issue title to include one of the following prefixes: - **bug**: Bug report or error you've encountered - **feat**: Feature request or enhancement suggestion - **docs**: Documentation issue or improvement request - **question**: Question about usage or functionality - **help**: Request for help or support Example: `bug: Login fails when using special characters in password`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58461
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?