DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26193: CVE-2026-26193: Stored XSS via iFrame Embeds in Open WebUI Response Messages

CVE-2026-26193: Stored XSS via iFrame Embeds in Open WebUI Response Messages

Vulnerability ID: CVE-2026-26193
CVSS Score: 7.3
Published: 2026-07-07

CVE-2026-26193 is a stored Cross-Site Scripting (XSS) vulnerability in Open WebUI prior to version 0.6.44. The vulnerability arises because the rendering engine hardcodes insecure sandbox options on an iframe component used for response embeds, allowing attackers to execute JavaScript in the parent window origin.

TL;DR

Stored XSS via insecure iframe sandbox configurations in Open WebUI allows low-privileged users to steal admin session tokens through shared chats.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.3
  • EPSS Score: 0.00198
  • Exploit Status: poc
  • KEV Status: Not Listed

Affected Systems

  • Open WebUI
  • open_webui: < 0.6.44 (Fixed in: 0.6.44)

Mitigation Strategies

  • Upgrade Open WebUI to version 0.6.44 or higher.
  • Disable editing permissions for standard accounts to prevent historical chat modification.
  • Restrict public chat sharing functionality to reduce the distribution scope of potential payloads.
  • Implement Database auditing rules to detect embedded data-URIs.

Remediation Steps:

  1. Pull the latest container image of Open WebUI (0.6.44 or later).
  2. Restart the deployment to apply the updated Svelte components.
  3. Execute the database audit query to isolate and delete compromised chat rows.
  4. Configure WAF filtering for APIs matching incoming JSON fields referencing data URIs.

References


Read the full report for CVE-2026-26193 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)