Cyber Resilience

CVE-2026-26193

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0004 13.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26193 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26193 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Open WebUI, a self-hosted artificial intelligence platform designed for offline operation. In versions prior to 0.6.44, attackers can manually modify chat history to set the `embeds` property on a response message. This property's content is then loaded into an iFrame with a sandbox attribute that includes `allow-scripts` and `allow-same-origin`, bypassing the "iframe Sandbox Allow Same Origin" configuration. The vulnerability impacts affected chats, including those in shared format.

The attack requires low privileges (PR:L), low attack complexity (AC:L), network access (AV:N), and user interaction (UI:R), with a CVSS v3.1 base score of 7.3 (C:H/I:H/A:N). An authenticated user with low privileges can craft a malicious payload by editing chat history, creating a shareable link that distributes the stored XSS payload to other users on the same instance. When victims access the shared chat or link, the payload executes in the sandboxed iFrame, potentially leading to high confidentiality and integrity impacts such as session hijacking, data theft, or further compromise within the user's browser context.

The GitHub security advisory (GHSA-vjm7-m4xh-7wrc) and related code changes confirm that updating to version 0.6.44 resolves the issue by addressing the improper iFrame sandbox handling. No additional mitigations are specified beyond applying the patch.

This vulnerability is notable in the context of self-hosted AI platforms, where shared chat links could propagate exploits across user bases in collaborative or multi-tenant deployments, though no public evidence of real-world exploitation has been reported.

EU & UK References

Vulnerability details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with…

more

a sandbox that has `allow-scripts` and `allow-same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable link containing the payload that can be distributed to any other users on the instance. Version 0.6.44 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, open webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS payload execution in shared chat iFrames directly enables browser session hijacking (T1185) and web session cookie theft (T1539) in victim contexts, as described in the CVE impacts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45665Same product: Openwebui Open Webui
CVE-2026-44721Same product: Openwebui Open Webui
CVE-2026-26192Same product: Openwebui Open Webui
CVE-2026-45303Same product: Openwebui Open Webui
CVE-2024-7044Same product: Openwebui Open Webui
CVE-2024-7053Same product: Openwebui Open Webui
CVE-2026-44549Same product: Openwebui Open Webui
CVE-2026-45350Same product: Openwebui Open Webui
CVE-2026-34222Same product: Openwebui Open Webui
CVE-2026-45402Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
≤ 0.6.44

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of chat history inputs (embeds property) to block storage of malicious iframe payloads that bypass sandbox restrictions.

prevent

Restricts execution of mobile code/scripts within iframes by enforcing safe sandbox attributes instead of allowing allow-scripts + allow-same-origin.

prevent

Applies output filtering/encoding when rendering shared chat embeds, mitigating the stored XSS payload before it executes in the victim's browser.

References