Cyber Resilience

CVE-2026-26192

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0004 13.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26192 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-26192 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. In versions prior to 0.7.0, manually modifying chat history enables attackers to set the `html` property within document metadata. This triggers a frontend code path that treats document contents as HTML and renders them inside an iFrame during citation previews, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

An authenticated attacker with low privileges can exploit this by injecting a weaponized HTML payload into a chat's document metadata via chat history modification. The payload executes when a victim previews the citation or views it within a shared chat, potentially leading to high-impact confidentiality and integrity violations, such as session hijacking, data theft, or malicious script execution in the victim's browser context.

The Open WebUI security advisory (GHSA-xc8p-9rr6-97r2) and affected code in CitationModal.svelte confirm that upgrading to version 0.7.0 resolves the issue by addressing the unsafe HTML rendering path.

As a platform for offline AI operations, this vulnerability highlights risks in self-hosted AI interfaces where user-generated content like chat histories and citations can introduce persistent web attacks. No real-world exploitation has been reported.

EU & UK References

Vulnerability details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats…

more

document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, open webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS enables direct injection and execution of attacker-controlled JavaScript in victim browser contexts during chat/citation rendering, mapping to JS execution (T1059.007), session hijacking (T1185), and cookie theft (T1539) as explicitly described in the CVE impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45303Same product: Openwebui Open Webui
CVE-2026-26193Same product: Openwebui Open Webui
CVE-2026-44721Same product: Openwebui Open Webui
CVE-2024-7044Same product: Openwebui Open Webui
CVE-2026-44549Same product: Openwebui Open Webui
CVE-2026-45665Same product: Openwebui Open Webui
CVE-2024-7053Same product: Openwebui Open Webui
CVE-2026-45315Same product: Openwebui Open Webui
CVE-2026-45350Same product: Openwebui Open Webui
CVE-2026-0765Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
≤ 0.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all user-supplied input (chat history metadata containing the html property) before it is accepted or rendered.

prevent

Requires filtering of information output to remove or encode dangerous HTML/script content before it is placed inside an iFrame for citation preview.

prevent

Enforces least privilege so that low-privileged authenticated users cannot arbitrarily modify document metadata fields that trigger unsafe rendering paths.

References