CVE-2026-26193: Open WebUI: stored XSS via chat 'embeds' iframe escape

GHSA-vjm7-m4xh-7wrc HIGH
Published July 7, 2026
CISO Take

A flaw in Open WebUI's chat rendering lets any authenticated user inject arbitrary HTML/JS into a chat message via the undocumented `embeds` property, which is loaded into an iframe whose sandbox hardcodes `allow-scripts` and `allow-same-origin` regardless of the admin's configured settings — producing stored XSS that also survives into shared chat links. This is CVSS 7.3 high with low attack complexity and no public exploit or KEV listing yet, but EPSS sits in the top 90th percentile and the flaw is trivially reproducible with a browser proxy, making it an easy target once weaponized. Blast radius is significant given open-webui carries 113 other CVEs and is a widely deployed self-hosted LLM front-end; a malicious shared-chat link can steal any viewer's session token from local storage, and if an admin opens it, the same chain can escalate to server-side RCE per the linked advisory GHSA-w7xj-8fx7-wfch. Patch to open-webui 0.6.44 immediately, and in the meantime treat any shared chat links from untrusted users as hostile and monitor for anomalous `embeds` fields in the `history`/`messages` data model.

Sources: NVD GitHub Advisory EPSS

What is the risk?

High risk despite the absence of active exploitation or a public PoC exploit script — the vulnerability requires only low privileges and one user interaction (opening/viewing a manipulated chat or shared link), and the PoC is a simple authenticated API tampering exercise reproducible with any HTTP intercept proxy. The confidentiality and integrity impact are both high (C:H/I:H) because a successful exploit reads session tokens from local storage, enabling full account takeover, and — when triggered against an admin — can pivot into remote code execution via a documented chained advisory. No availability impact and no scanner/KEV signal currently exist, which tempers urgency slightly, but the combination of trivial reproducibility, a widely-used self-hosted product, and a session-hijack-to-RCE escalation path makes this a priority patch rather than a backlog item.

How does the attack unfold?

Initial Access
Attacker with a low-privilege chat account creates a normal chat conversation to establish a message to tamper with.
AML.T0049
Payload Injection
Using an intercepting proxy, the attacker adds an unauthorized `embeds` key with an XSS payload to the message object before the save request completes.
Execution & Propagation
On page refresh the payload executes inside the hardcoded allow-scripts/allow-same-origin iframe, and the attacker distributes the weaponized chat via a shareable link to other users or admins.
Impact
The script exfiltrates the victim's session token from local storage for account takeover, or — if an admin is targeted — escalates to server-side RCE via the chained advisory.
AML.T0012

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.6.43 0.6.44
144.2K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
7.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C High
I High
A None

What should I do?

1 step
  1. Upgrade open-webui to version 0.6.44 or later immediately, where the iframe sandbox flags are no longer hardcoded to allow-scripts+allow-same-origin. Until patched, disable or restrict the chat sharing feature and treat any inbound shared-chat links as untrusted, especially before an admin opens them. Add server-side validation/stripping of the embeds property on chat message save (defense in depth, since the flaw is a client-trust issue in the save API). Detection: audit the history/messages JSON blobs in the chat data store for unexpected embeds keys, and monitor for anomalous local-storage/session-token exfiltration traffic from the Open WebUI origin. Rotate session tokens and force re-authentication for users who may have viewed a suspicious shared chat.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.6.2.6 - AI system security controls
NIST AI RMF
GOVERN 1.5 / MAP 2.3 - Risk Management Processes for Third-Party AI System Components
OWASP LLM Top 10
LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-26193?

A flaw in Open WebUI's chat rendering lets any authenticated user inject arbitrary HTML/JS into a chat message via the undocumented `embeds` property, which is loaded into an iframe whose sandbox hardcodes `allow-scripts` and `allow-same-origin` regardless of the admin's configured settings — producing stored XSS that also survives into shared chat links. This is CVSS 7.3 high with low attack complexity and no public exploit or KEV listing yet, but EPSS sits in the top 90th percentile and the flaw is trivially reproducible with a browser proxy, making it an easy target once weaponized. Blast radius is significant given open-webui carries 113 other CVEs and is a widely deployed self-hosted LLM front-end; a malicious shared-chat link can steal any viewer's session token from local storage, and if an admin opens it, the same chain can escalate to server-side RCE per the linked advisory GHSA-w7xj-8fx7-wfch. Patch to open-webui 0.6.44 immediately, and in the meantime treat any shared chat links from untrusted users as hostile and monitor for anomalous `embeds` fields in the `history`/`messages` data model.

Is CVE-2026-26193 actively exploited?

No confirmed active exploitation of CVE-2026-26193 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26193?

Upgrade open-webui to version 0.6.44 or later immediately, where the iframe sandbox flags are no longer hardcoded to `allow-scripts`+`allow-same-origin`. Until patched, disable or restrict the chat sharing feature and treat any inbound shared-chat links as untrusted, especially before an admin opens them. Add server-side validation/stripping of the `embeds` property on chat message save (defense in depth, since the flaw is a client-trust issue in the save API). Detection: audit the `history`/`messages` JSON blobs in the chat data store for unexpected `embeds` keys, and monitor for anomalous local-storage/session-token exfiltration traffic from the Open WebUI origin. Rotate session tokens and force re-authentication for users who may have viewed a suspicious shared chat.

What systems are affected by CVE-2026-26193?

This vulnerability affects the following AI/ML architecture patterns: ml_ui / self-hosted LLM front-ends, chat/session management layers, shared-link collaboration features.

What is the CVSS score for CVE-2026-26193?

CVE-2026-26193 has a CVSS v3.1 base score of 7.3 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

ml_ui / self-hosted LLM front-endschat/session management layersshared-link collaboration features

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: A.6.2.6
NIST AI RMF: GOVERN 1.5 / MAP 2.3
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

### Summary Manually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with a sandbox that has `allow-scripts` and `allow-same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable link containing the payload that can be distributed to any other users on the instance. ### Details The flaw stems from how iFrames are constructed here: https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/src/lib/components/chat/Messages/ResponseMessage.svelte#L689-L703 `messages.embeds` is a user controlled property and so can be arbitrarily set by the user to a payload of their choosing. Since `allowScripts` and `allowSameOrigin` are harcoded as true here the sandboxing offers essentially no protection. ### PoC Create an arbitrary chat: <img width="2468" height="1426" alt="image" src="https://github.com/user-attachments/assets/41e32f5c-3fa7-4208-a71f-85556eec6309" /> Edit the model response: <img width="632" height="192" alt="image" src="https://github.com/user-attachments/assets/b1e79303-360f-46e3-8d6d-3309c3ec30af" /> <img width="2150" height="434" alt="image" src="https://github.com/user-attachments/assets/78f19d7f-10dc-4e91-83cc-2d4811e58496" /> Before saving, configure the browser to use an HTTP proxy tool (Burp/Caido/ZAP) and intercept the save request. Find the object within the `history` and then `messages` objects (not the `messages` array) that corresponds to the edited text. <img width="2024" height="1528" alt="image" src="https://github.com/user-attachments/assets/953e5368-8e93-428b-b223-c695eacfe7b9" /> On this object, add an `embeds` key and list value as shown below, forward the request and refresh the page. <img width="1904" height="1530" alt="image" src="https://github.com/user-attachments/assets/0e56be6f-5513-490e-9961-972bdfbd5d8b" /> This results in XSS via the controlled content getting rendered in the iFrame. Note the bold text is just to aid demonstration. `console.log` is used to prove JS execution because the lack of `allow-modals` on the iFrame sandbox prevents alerts. <img width="2752" height="1686" alt="image" src="https://github.com/user-attachments/assets/4858f7b3-4e2f-4fab-a5a5-196df26bcdce" /> The same payload triggers when the chat is shared. <img width="2730" height="1426" alt="image" src="https://github.com/user-attachments/assets/ee88b538-9781-4276-b681-9953974b826d" /> ### Impact Any user can create a weaponised chat that can be shared and subsequently used to target other users. Low privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server. Admins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch.

Exploitation Scenario

An attacker with only a low-privilege chat account crafts a chat, then intercepts the save request with a proxy (Burp/Caido/ZAP) to inject an `embeds` field into a response message object containing a JavaScript payload. Refreshing the page renders the payload inside an iframe with full script and same-origin execution rights, letting the script read the victim's session token from local storage and exfiltrate it to an attacker-controlled server. The attacker then shares the weaponized chat link broadly — including baiting an administrator into opening it — where the same payload executes with the admin's session, enabling account takeover and, per the linked chained advisory, escalation to remote code execution on the Open WebUI server itself.

Weaknesses (CWE)

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Timeline

Published
July 7, 2026
Last Modified
July 7, 2026
First Seen
July 7, 2026

Related Vulnerabilities