CVE-2026-26192
Published: 19 February 2026
Summary
CVE-2026-26192 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-26192 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. In versions prior to 0.7.0, manually modifying chat history enables attackers to set the `html` property within document metadata. This triggers a frontend code path that treats document contents as HTML and renders them inside an iFrame during citation previews, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An authenticated attacker with low privileges can exploit this by injecting a weaponized HTML payload into a chat's document metadata via chat history modification. The payload executes when a victim previews the citation or views it within a shared chat, potentially leading to high-impact confidentiality and integrity violations, such as session hijacking, data theft, or malicious script execution in the victim's browser context.
The Open WebUI security advisory (GHSA-xc8p-9rr6-97r2) and affected code in CitationModal.svelte confirm that upgrading to version 0.7.0 resolves the issue by addressing the unsafe HTML rendering path.
As a platform for offline AI operations, this vulnerability highlights risks in self-hosted AI interfaces where user-generated content like chat histories and citations can introduce persistent web attacks. No real-world exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7982
Vulnerability details
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats…
more
document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: artificial intelligence, open webui
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct injection and execution of attacker-controlled JavaScript in victim browser contexts during chat/citation rendering, mapping to JS execution (T1059.007), session hijacking (T1185), and cookie theft (T1539) as explicitly described in the CVE impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all user-supplied input (chat history metadata containing the html property) before it is accepted or rendered.
Requires filtering of information output to remove or encode dangerous HTML/script content before it is placed inside an iFrame for citation preview.
Enforces least privilege so that low-privileged authenticated users cannot arbitrarily modify document metadata fields that trigger unsafe rendering paths.