Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/.. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL — the response comes back as text/html and any embedded <script> runs in the Open WebUI origin. This vulnerability is fixed in 0.9.3.
Published: 2026-05-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious user to store a script in an audio transcription upload by giving the file a polyglot name that looks like a WAV file but contains HTML. When another user opens the resulting URL, the server serves the file with a Content‑Type of text/html and no Content‑Disposition, causing the browser to execute the script in the context of the Open WebUI origin. This can lead to cookie theft, credential compromise, or other client‑side attacks.

Affected Systems

Open WebUI versions earlier than 0.9.3. Users with verified chat.stt permission can upload the file; any other user can be tricked into visiting the URL.

Risk and Exploitability

The CVSS score of 8.7 categorises it as high severity. EPSS is unavailable, and it is not listed in the CISA KEV catalogue. The attack requires a verified user with upload privileges and a second target who follows a crafted link; the vector is likely a social‑engineering or phishing scenario involving the upload endpoint.

Generated by OpenCVE AI on May 15, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open WebUI 0.9.3 or later, where the vulnerability is fixed.
  • If an upgrade is not immediately possible, restrict audio file uploads to highly trusted users and enforce strict server‑side validation of the file extension and MIME type.
  • Configure the file serving route to add a Content-Disposition header and serve only trusted file types, or relocate uploaded files outside of a publicly accessible cache path.
  • Implement sanitisation or CSP policies to mitigate potential XSS if the issue could be exploited in future versions or similar uploads.

Generated by OpenCVE AI on May 15, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m8f9-9whg-f4xr Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
History

Fri, 15 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/.. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL — the response comes back as text/html and any embedded <script> runs in the Open WebUI origin. This vulnerability is fixed in 0.9.3.
Title Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
Weaknesses CWE-434
CWE-646
CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T21:26:54.790Z

Reserved: 2026-05-11T20:50:30.538Z

Link: CVE-2026-45315

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T22:16:54.250

Modified: 2026-05-15T22:16:54.250

Link: CVE-2026-45315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T00:00:12Z

Weaknesses