A flaw in Open WebUI's chat rendering lets any authenticated user inject arbitrary HTML/JS into a chat message via the undocumented `embeds` property, which is loaded into an iframe whose sandbox hardcodes `allow-scripts` and `allow-same-origin` regardless of the admin's configured settings — producing stored XSS that also survives into shared chat links. This is CVSS 7.3 high with low attack complexity and no public exploit or KEV listing yet, but EPSS sits in the top 90th percentile and the flaw is trivially reproducible with a browser proxy, making it an easy target once weaponized. Blast radius is significant given open-webui carries 113 other CVEs and is a widely deployed self-hosted LLM front-end; a malicious shared-chat link can steal any viewer's session token from local storage, and if an admin opens it, the same chain can escalate to server-side RCE per the linked advisory GHSA-w7xj-8fx7-wfch. Patch to open-webui 0.6.44 immediately, and in the meantime treat any shared chat links from untrusted users as hostile and monitor for anomalous `embeds` fields in the `history`/`messages` data model.
What is the risk?
High risk despite the absence of active exploitation or a public PoC exploit script — the vulnerability requires only low privileges and one user interaction (opening/viewing a manipulated chat or shared link), and the PoC is a simple authenticated API tampering exercise reproducible with any HTTP intercept proxy. The confidentiality and integrity impact are both high (C:H/I:H) because a successful exploit reads session tokens from local storage, enabling full account takeover, and — when triggered against an admin — can pivot into remote code execution via a documented chained advisory. No availability impact and no scanner/KEV signal currently exist, which tempers urgency slightly, but the combination of trivial reproducibility, a widely-used self-hosted product, and a session-hijack-to-RCE escalation path makes this a priority patch rather than a backlog item.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.6.43 | 0.6.44 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade open-webui to version 0.6.44 or later immediately, where the iframe sandbox flags are no longer hardcoded to
allow-scripts+allow-same-origin. Until patched, disable or restrict the chat sharing feature and treat any inbound shared-chat links as untrusted, especially before an admin opens them. Add server-side validation/stripping of theembedsproperty on chat message save (defense in depth, since the flaw is a client-trust issue in the save API). Detection: audit thehistory/messagesJSON blobs in the chat data store for unexpectedembedskeys, and monitor for anomalous local-storage/session-token exfiltration traffic from the Open WebUI origin. Rotate session tokens and force re-authentication for users who may have viewed a suspicious shared chat.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-26193?
A flaw in Open WebUI's chat rendering lets any authenticated user inject arbitrary HTML/JS into a chat message via the undocumented `embeds` property, which is loaded into an iframe whose sandbox hardcodes `allow-scripts` and `allow-same-origin` regardless of the admin's configured settings — producing stored XSS that also survives into shared chat links. This is CVSS 7.3 high with low attack complexity and no public exploit or KEV listing yet, but EPSS sits in the top 90th percentile and the flaw is trivially reproducible with a browser proxy, making it an easy target once weaponized. Blast radius is significant given open-webui carries 113 other CVEs and is a widely deployed self-hosted LLM front-end; a malicious shared-chat link can steal any viewer's session token from local storage, and if an admin opens it, the same chain can escalate to server-side RCE per the linked advisory GHSA-w7xj-8fx7-wfch. Patch to open-webui 0.6.44 immediately, and in the meantime treat any shared chat links from untrusted users as hostile and monitor for anomalous `embeds` fields in the `history`/`messages` data model.
Is CVE-2026-26193 actively exploited?
No confirmed active exploitation of CVE-2026-26193 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-26193?
Upgrade open-webui to version 0.6.44 or later immediately, where the iframe sandbox flags are no longer hardcoded to `allow-scripts`+`allow-same-origin`. Until patched, disable or restrict the chat sharing feature and treat any inbound shared-chat links as untrusted, especially before an admin opens them. Add server-side validation/stripping of the `embeds` property on chat message save (defense in depth, since the flaw is a client-trust issue in the save API). Detection: audit the `history`/`messages` JSON blobs in the chat data store for unexpected `embeds` keys, and monitor for anomalous local-storage/session-token exfiltration traffic from the Open WebUI origin. Rotate session tokens and force re-authentication for users who may have viewed a suspicious shared chat.
What systems are affected by CVE-2026-26193?
This vulnerability affects the following AI/ML architecture patterns: ml_ui / self-hosted LLM front-ends, chat/session management layers, shared-link collaboration features.
What is the CVSS score for CVE-2026-26193?
CVE-2026-26193 has a CVSS v3.1 base score of 7.3 (HIGH). The EPSS exploitation probability is 0.20%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Manually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with a sandbox that has `allow-scripts` and `allow-same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable link containing the payload that can be distributed to any other users on the instance. ### Details The flaw stems from how iFrames are constructed here: https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/src/lib/components/chat/Messages/ResponseMessage.svelte#L689-L703 `messages.embeds` is a user controlled property and so can be arbitrarily set by the user to a payload of their choosing. Since `allowScripts` and `allowSameOrigin` are harcoded as true here the sandboxing offers essentially no protection. ### PoC Create an arbitrary chat: <img width="2468" height="1426" alt="image" src="https://github.com/user-attachments/assets/41e32f5c-3fa7-4208-a71f-85556eec6309" /> Edit the model response: <img width="632" height="192" alt="image" src="https://github.com/user-attachments/assets/b1e79303-360f-46e3-8d6d-3309c3ec30af" /> <img width="2150" height="434" alt="image" src="https://github.com/user-attachments/assets/78f19d7f-10dc-4e91-83cc-2d4811e58496" /> Before saving, configure the browser to use an HTTP proxy tool (Burp/Caido/ZAP) and intercept the save request. Find the object within the `history` and then `messages` objects (not the `messages` array) that corresponds to the edited text. <img width="2024" height="1528" alt="image" src="https://github.com/user-attachments/assets/953e5368-8e93-428b-b223-c695eacfe7b9" /> On this object, add an `embeds` key and list value as shown below, forward the request and refresh the page. <img width="1904" height="1530" alt="image" src="https://github.com/user-attachments/assets/0e56be6f-5513-490e-9961-972bdfbd5d8b" /> This results in XSS via the controlled content getting rendered in the iFrame. Note the bold text is just to aid demonstration. `console.log` is used to prove JS execution because the lack of `allow-modals` on the iFrame sandbox prevents alerts. <img width="2752" height="1686" alt="image" src="https://github.com/user-attachments/assets/4858f7b3-4e2f-4fab-a5a5-196df26bcdce" /> The same payload triggers when the chat is shared. <img width="2730" height="1426" alt="image" src="https://github.com/user-attachments/assets/ee88b538-9781-4276-b681-9953974b826d" /> ### Impact Any user can create a weaponised chat that can be shared and subsequently used to target other users. Low privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server. Admins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch.
Exploitation Scenario
An attacker with only a low-privilege chat account crafts a chat, then intercepts the save request with a proxy (Burp/Caido/ZAP) to inject an `embeds` field into a response message object containing a JavaScript payload. Refreshing the page renders the payload inside an iframe with full script and same-origin execution rights, letting the script read the victim's session token from local storage and exfiltrate it to an attacker-controlled server. The attacker then shares the weaponized chat link broadly — including baiting an administrator into opening it — where the same payload executes with the admin's session, enabling account takeover and, per the linked chained advisory, escalation to remote code execution on the Open WebUI server itself.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui