diff --git a/cmake/scripts/config.sh.in b/cmake/scripts/config.sh.in
index 3508ff3e425b67f737cf37d6611bdb499e73943f..2ad66a08b7ff1f5c9cf8eaeb9c35b5e9ea60b855 100644
--- a/cmake/scripts/config.sh.in
+++ b/cmake/scripts/config.sh.in
@@ -58,5 +58,11 @@ if [ $same_system -eq 1 ]; then
                         export PATH=$PATH:"@MY_PATH@"
 			;;
 	esac
+
+        echo "default root version is "`which root`
+        alias root='root --web=off'
+        alias
+        echo "root web-gui turned off by default via an alias. See security issue https://root.cern/about/security/#2023-11-26-open-port-for-control-of-web-gui-allows-read-and-write-access-to-file-system"
+
  	echo "Configured CBMROOT build @CBMROOT_BUILD_HASH@ (@CBMROOT_BUILD_HASH_DATE@)"
 fi