AI Threat Alert
Open WebUI's file preview panel renders Mermaid diagrams from uploaded Markdown files by injecting the generated SVG directly into the DOM via innerHTML with Mermaid configured in 'loose' security mode, enabling any authenticated user to deliver a stored XSS payload that executes JavaScript under the application's full origin. Despite a low absolute EPSS score (0.00037), this ranks in the top 89th percentile for exploitation likelihood, and the published PoC is trivially reproducible — a single Mermaid flowchart node with a javascript: click handler requires no specialized knowledge to weaponize against other users or administrators. In multi-user or enterprise Open WebUI deployments fronting Ollama, LiteLLM, or OpenAI-compatible backends, a successful exploit yields session hijacking, LLM API key theft, and unrestricted access to conversation histories containing potentially sensitive organizational data. Organizations running open-webui ≤ 0.9.5 must upgrade to 0.9.6 immediately; as a temporary workaround, restrict file upload access to trusted roles only and enforce a Content Security Policy that blocks javascript: URI execution.
What is the risk?
High risk in any multi-user Open WebUI deployment. The attack requires only low privileges (any authenticated user) and one user interaction (clicking a rendered Mermaid node), making exploitation realistic in collaborative AI environments where file sharing is routine. The Changed scope means impact extends beyond the attacker's own session to other users and administrators. With 102 recorded CVEs in this package and an EPSS ranking in the top 89th percentile, open-webui is a well-established attack surface that attracts sustained adversary attention. Self-hosted deployments without centralized session management, strict CSP, or WAF controls are most exposed.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.9.5 | 0.9.6 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade to open-webui 0.9.6 which switches Mermaid to securityLevel: 'strict', enabling DOMPurify sanitization for all rendered SVG output.
-
WORKAROUND
If immediate patching is blocked, disable the Code Interpreter feature or restrict file upload capabilities to administrator roles only via access controls.
-
CSP
Enforce a Content Security Policy that blocks 'javascript:' URI schemes and restricts script-src to known-good origins — this provides defense-in-depth against this and future XSS variants.
-
DETECTION
Audit uploaded .md files for Mermaid blocks containing 'javascript:' strings, 'onclick', or 'onerror' attributes; query proxy and WAF logs for SVG content with embedded event handlers.
-
MONITORING
Alert on abnormal session activity — logins from new IPs immediately following file upload events — as a behavioral indicator of post-exploitation credential reuse.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-54011?
Open WebUI's file preview panel renders Mermaid diagrams from uploaded Markdown files by injecting the generated SVG directly into the DOM via innerHTML with Mermaid configured in 'loose' security mode, enabling any authenticated user to deliver a stored XSS payload that executes JavaScript under the application's full origin. Despite a low absolute EPSS score (0.00037), this ranks in the top 89th percentile for exploitation likelihood, and the published PoC is trivially reproducible — a single Mermaid flowchart node with a javascript: click handler requires no specialized knowledge to weaponize against other users or administrators. In multi-user or enterprise Open WebUI deployments fronting Ollama, LiteLLM, or OpenAI-compatible backends, a successful exploit yields session hijacking, LLM API key theft, and unrestricted access to conversation histories containing potentially sensitive organizational data. Organizations running open-webui ≤ 0.9.5 must upgrade to 0.9.6 immediately; as a temporary workaround, restrict file upload access to trusted roles only and enforce a Content Security Policy that blocks javascript: URI execution.
Is CVE-2026-54011 actively exploited?
No confirmed active exploitation of CVE-2026-54011 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-54011?
1. PATCH: Upgrade to open-webui 0.9.6 which switches Mermaid to securityLevel: 'strict', enabling DOMPurify sanitization for all rendered SVG output. 2. WORKAROUND: If immediate patching is blocked, disable the Code Interpreter feature or restrict file upload capabilities to administrator roles only via access controls. 3. CSP: Enforce a Content Security Policy that blocks 'javascript:' URI schemes and restricts script-src to known-good origins — this provides defense-in-depth against this and future XSS variants. 4. DETECTION: Audit uploaded .md files for Mermaid blocks containing 'javascript:' strings, 'onclick', or 'onerror' attributes; query proxy and WAF logs for SVG content with embedded event handlers. 5. MONITORING: Alert on abnormal session activity — logins from new IPs immediately following file upload events — as a behavioral indicator of post-exploitation credential reuse.
What systems are affected by CVE-2026-54011?
This vulnerability affects the following AI/ML architecture patterns: AI chat frontends, self-hosted LLM interfaces, multi-user LLM platforms, RAG-connected chat UIs.
What is the CVSS score for CVE-2026-54011?
CVE-2026-54011 has a CVSS v3.1 base score of 8.7 (HIGH). The EPSS exploitation probability is 0.04%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011 User Execution AML.T0011.003 Malicious Link AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0085 Data from AI Services Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using `innerHTML`. Because Mermaid is configured with `securityLevel: 'loose'`, attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin. This is a confirmed stored XSS vulnerability reachable through normal product functionality. ## Affected Version - `main` - Reproduced on `v0.8.12` ## Affected Code Mermaid is initialized in permissive mode: https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM: https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/FileNav/FilePreview.svelte#L133 ## Impact A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel. ## PoC A malicious `.md` file containing the follwowing contents can be used to trigger the bug: ```` ```mermaid flowchart LR A[click me] click A href "javascript:alert(document.domain)" "x" ``` ```` Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with `.md` extension. <img width="331" height="258" alt="image" src="https://github.com/user-attachments/assets/bce2b754-56d1-4da1-90a9-22bcb93269f2" /> 3- Clicking on the file, and clicking `click me` should pop an alert <img width="1103" height="485" alt="image" src="https://github.com/user-attachments/assets/18754486-799b-434e-a2fc-dd7c09956a29" /> ## Remediation Since `mermaid` has `DOMPurify` as a built-in, it is recommended to use the `strict` mode instead of `loose`.
Exploitation Scenario
An attacker with a standard user account in a shared Open WebUI deployment crafts a Markdown file containing a Mermaid flowchart with a click-handler node pointing to a javascript: URI that exfiltrates document.cookie and any localStorage-stored API keys to an attacker-controlled server. They upload the file via the Code Interpreter attachment feature with an innocuous filename such as 'architecture-review.md' and share the chat with a target user, ideally an administrator. When the target opens the file preview panel and clicks the rendered 'Click to view details' node, session tokens and stored credentials are silently exfiltrated. The attacker uses the stolen session to access admin panels, enumerate all connected LLM API keys, read full conversation histories across all users, and pivot laterally to the underlying LLM infrastructure or connected data sources.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui