Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI. This vulnerability is fixed in 0.9.0.
Published: 2026-05-15
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits a user with model creation rights to embed malicious JavaScript into a model’s description, which is stored and rendered when any user – including administrators – views the model in the chat UI. This stored cross‑site scripting can be used to hijack sessions, deface content, or exfiltrate data from the victim’s browser, compromising confidentiality and integrity of the affected users’ sessions.

Affected Systems

Open WebUI is impacted when running any version earlier than 0.9.0. All instances of the open‑webui product that have not applied the 0.9.0 update are vulnerable, regardless of hosting environment, since the flaw exists in the core model description handling logic.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, and while EPSS data is not available, the vulnerability is not yet listed in CISA KEV. An attacker must be authenticated and possess workspace.models permission, a role that is typically granted to content creators. Once a malicious model is created, any user who opens the chat UI with that model will execute the embedded script in their browser, indicating a probable attack vector of authenticated compromised user activity. The lack of remote code execution does not diminish the practical risk, as arbitrary JavaScript can manipulate page content, steal cookies or perform malicious actions on behalf of the victim.

Generated by OpenCVE AI on May 15, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 0.9.0 update or later to remove the stored XSS flaw
  • Limit workspace.models permissions to trusted individuals or high‑privileged roles only
  • Review existing models and purge any that contain script tags or suspicious content to prevent exploitation

Generated by OpenCVE AI on May 15, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gf5m-wcrh-7928 open-webui Vulnerable to Stored XSS via Model Description
History

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI. This vulnerability is fixed in 0.9.0.
Title Open WebUI: Stored XSS via Model Description
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T20:02:16.820Z

Reserved: 2026-05-07T18:04:17.308Z

Link: CVE-2026-44721

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T21:16:36.370

Modified: 2026-05-15T21:16:36.370

Link: CVE-2026-44721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:30:06Z

Weaknesses