CVE-2026-26192
Published: 19 February 2026
Summary
CVE-2026-26192 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct injection and execution of attacker-controlled JavaScript in victim browser contexts during chat/citation rendering, mapping to JS execution (T1059.007), session hijacking (T1185), and cookie theft (T1539) as explicitly described in the CVE impact.
NVD Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats…
more
document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue.
Deeper analysisAI
CVE-2026-26192 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. In versions prior to 0.7.0, manually modifying chat history enables attackers to set the `html` property within document metadata. This triggers a frontend code path that treats document contents as HTML and renders them inside an iFrame during citation previews, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An authenticated attacker with low privileges can exploit this by injecting a weaponized HTML payload into a chat's document metadata via chat history modification. The payload executes when a victim previews the citation or views it within a shared chat, potentially leading to high-impact confidentiality and integrity violations, such as session hijacking, data theft, or malicious script execution in the victim's browser context.
The Open WebUI security advisory (GHSA-xc8p-9rr6-97r2) and affected code in CitationModal.svelte confirm that upgrading to version 0.7.0 resolves the issue by addressing the unsafe HTML rendering path.
As a platform for offline AI operations, this vulnerability highlights risks in self-hosted AI interfaces where user-generated content like chat histories and citations can introduce persistent web attacks. No real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: artificial intelligence