CVE-2026-26193
Published: 19 February 2026
Summary
CVE-2026-26193 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26193 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Open WebUI, a self-hosted artificial intelligence platform designed for offline operation. In versions prior to 0.6.44, attackers can manually modify chat history to set the `embeds` property on a response message. This property's content is then loaded into an iFrame with a sandbox attribute that includes `allow-scripts` and `allow-same-origin`, bypassing the "iframe Sandbox Allow Same Origin" configuration. The vulnerability impacts affected chats, including those in shared format.
The attack requires low privileges (PR:L), low attack complexity (AC:L), network access (AV:N), and user interaction (UI:R), with a CVSS v3.1 base score of 7.3 (C:H/I:H/A:N). An authenticated user with low privileges can craft a malicious payload by editing chat history, creating a shareable link that distributes the stored XSS payload to other users on the same instance. When victims access the shared chat or link, the payload executes in the sandboxed iFrame, potentially leading to high confidentiality and integrity impacts such as session hijacking, data theft, or further compromise within the user's browser context.
The GitHub security advisory (GHSA-vjm7-m4xh-7wrc) and related code changes confirm that updating to version 0.6.44 resolves the issue by addressing the improper iFrame sandbox handling. No additional mitigations are specified beyond applying the patch.
This vulnerability is notable in the context of self-hosted AI platforms, where shared chat links could propagate exploits across user bases in collaborative or multi-tenant deployments, though no public evidence of real-world exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7981
Vulnerability details
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with…
more
a sandbox that has `allow-scripts` and `allow-same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable link containing the payload that can be distributed to any other users on the instance. Version 0.6.44 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: artificial intelligence, open webui
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS payload execution in shared chat iFrames directly enables browser session hijacking (T1185) and web session cookie theft (T1539) in victim contexts, as described in the CVE impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of chat history inputs (embeds property) to block storage of malicious iframe payloads that bypass sandbox restrictions.
Restricts execution of mobile code/scripts within iframes by enforcing safe sandbox attributes instead of allowing allow-scripts + allow-same-origin.
Applies output filtering/encoding when rendering shared chat embeds, mitigating the stored XSS payload before it executes in the victim's browser.