CVE-2026-26193
Published: 19 February 2026
Summary
CVE-2026-26193 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS payload execution in shared chat iFrames directly enables browser session hijacking (T1185) and web session cookie theft (T1539) in victim contexts, as described in the CVE impacts.
NVD Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with…
more
a sandbox that has `allow-scripts` and `allow-same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable link containing the payload that can be distributed to any other users on the instance. Version 0.6.44 fixes the issue.
Deeper analysisAI
CVE-2026-26193 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Open WebUI, a self-hosted artificial intelligence platform designed for offline operation. In versions prior to 0.6.44, attackers can manually modify chat history to set the `embeds` property on a response message. This property's content is then loaded into an iFrame with a sandbox attribute that includes `allow-scripts` and `allow-same-origin`, bypassing the "iframe Sandbox Allow Same Origin" configuration. The vulnerability impacts affected chats, including those in shared format.
The attack requires low privileges (PR:L), low attack complexity (AC:L), network access (AV:N), and user interaction (UI:R), with a CVSS v3.1 base score of 7.3 (C:H/I:H/A:N). An authenticated user with low privileges can craft a malicious payload by editing chat history, creating a shareable link that distributes the stored XSS payload to other users on the same instance. When victims access the shared chat or link, the payload executes in the sandboxed iFrame, potentially leading to high confidentiality and integrity impacts such as session hijacking, data theft, or further compromise within the user's browser context.
The GitHub security advisory (GHSA-vjm7-m4xh-7wrc) and related code changes confirm that updating to version 0.6.44 resolves the issue by addressing the improper iFrame sandbox handling. No additional mitigations are specified beyond applying the patch.
This vulnerability is notable in the context of self-hosted AI platforms, where shared chat links could propagate exploits across user bases in collaborative or multi-tenant deployments, though no public evidence of real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: artificial intelligence