Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue.
Published: 2026-02-19
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting enabling arbitrary client‑side code execution
Action: Patch
AI Analysis

Impact

Open WebUI (self‑hosted AI platform) allows a malicious user to edit chat history and set the HTML property inside document metadata. When this property exists, the frontend renders the document content as an iframe‑embedded HTML page. The stored payload can then be executed each time the citation is previewed, including when the chat is shared publicly. This flaw results in a stored XSS vulnerability that can run arbitrary scripts in the victim’s browser without additional user interaction.

Affected Systems

Open WebUI (open‑webui) versions prior to 0.7.0 are affected. Any deployment of the platform that permits manual chat history editing or the inclusion of custom metadata may be vulnerable until an update is applied.

Risk and Exploitability

The CVSS score of 7.3 indicates a high impact potential. Although the EPSS score is below 1%, the existence of the vulnerability in a widely used self‑hosted solution keeps the risk alive. The CISA KEV catalog does not list this issue, but that does not negate the attack surface. An attacker needs the ability to edit the chat history or inject content into a document. Once the attack vector is established, the stored script will covertly execute in any user’s browser that opens the citation, including users who view shared conversations. The scope is primarily client‑side code execution, potentially exposing session information, facilitating credential theft, or delivering other malicious actions on the victim’s behalf.

Generated by OpenCVE AI on April 17, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Open WebUI to version 0.7.0 or later, which removes the vulnerability by disabling the rendering of document metadata as HTML.
  • If an update is not yet possible, locate and delete or sanitize any document metadata entries that set the `html` property before they are stored in the database.
  • Restrict editing permissions or remove the ability to manually modify chat histories for untrusted users, and ensure shared chats are protected by strong access controls.

Generated by OpenCVE AI on April 17, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Openwebui
Openwebui open Webui
CPEs cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*
Vendors & Products Openwebui
Openwebui open Webui

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue.
Title Open WebUI vulnerable to Stored XSS via iFrame in citations model
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Open-webui Open-webui
Openwebui Open Webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:23:23.625Z

Reserved: 2026-02-11T19:56:24.812Z

Link: CVE-2026-26192

cve-icon Vulnrichment

Updated: 2026-02-19T21:16:46.109Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T20:25:42.290

Modified: 2026-02-20T20:17:25.400

Link: CVE-2026-26192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses