Multiple high-severity vulnerabilities in Open WebUI allow attackers to plant malicious chat content that executes when viewed, leading to theft of JWTs and session tokens from localStorage, full account takeover, and compromise of sensitive AI assets. The flaws affect markdown rendering, citation and response iframe handling, and HTML file-serving paths, including cases where attacker-controlled content was rendered with dangerous HTML processing or iframe sandbox settings such as allow-scripts allow-forms allow-same-origin. Reported impacts include exposure of DOM data, indexedDB, cookies, backend API keys, model parameter files, private databases, and other enterprise AI resources.
Several reports warn that if an administrator opens a malicious shared transcript or chat, the attack can escalate from stored XSS to remote code execution through Open WebUI's administrative features and Python-based functions or plugins, potentially yielding code execution on the Docker container or local host. The issues were addressed across releases including v0.6.6 and v0.7.0 by tightening file ownership checks, removing or making optional same-origin iframe access, and recommending stronger HTML sanitization and restrictive CSP settings; one report also provided a database query to hunt for stored chats containing suspicious data:text/html or javascript: embed payloads.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Open WebUI patched CVE-2026-26192 by making the iframeSandboxAllowSameOrigin setting optional and reducing the safer default sandbox to allow-scripts allow-forms. This addressed token theft and account takeover risks caused by attacker-controlled HTML rendered with same-origin iframe access.
A patch for CVE-2026-26193 changed Open WebUI's iframe handling so same-origin access is no longer always enabled when rendering embedded content in response messages. The vulnerability allowed attacker-controlled data:text/html payloads to execute in the parent origin context when an administrator viewed a malicious shared chat.
Open WebUI version 0.7.0 was affected by a stored XSS vulnerability in the CitationModal component due to iframe sandbox settings that included allow-same-origin. This allowed attacker-controlled JavaScript to access window.parent.localStorage and steal JWT session tokens for account takeover.
Open WebUI v0.6.6 corrected a stored XSS issue tied to HTML file handling under API file paths by validating that the file owner exists and has the admin role before serving content. The flaw could let a low-privileged user compromise an administrator and potentially execute commands on the host.
On 2025-05-05, a GitHub security advisory disclosed a stored XSS flaw in Open WebUI caused by unsafe HTML rendering in chat transcripts. The advisory said attackers could steal access tokens from localStorage, take over accounts, and potentially reach backend RCE by abusing administrative function creation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cvereports.com
Open sourcecvereports.com
Open sourcecvereports.com
Open sourcecvereports.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.