{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/open-webui--0.6.43/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-26193"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Open WebUI (\u003c= 0.6.43)"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","open-webui","cve"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eA critical stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-26193, has been discovered in Open WebUI versions up to and including 0.6.43. This flaw allows attackers to inject malicious code into chat response messages by manually manipulating the chat history to set a user-controlled \u003ccode\u003eembeds\u003c/code\u003e property. The injected content is rendered within an iFrame whose sandbox attributes (\u003ccode\u003eallow-scripts\u003c/code\u003e and \u003ccode\u003eallow-same-origin\u003c/code\u003e) are hardcoded as true, effectively nullifying security protections. This bypass enables arbitrary JavaScript execution in the context of the user's browser. The vulnerability poses a significant risk as it can lead to session hijacking for low-privilege users by exfiltrating local storage tokens, and for administrators, it could pave the way for Remote Code Execution (RCE) on the server, as highlighted by related vulnerabilities. The malicious chat can be persistently stored and subsequently shared with other users, allowing the attack to propagate across the platform.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Pre-computation\u003c/strong\u003e: An attacker with legitimate user access to Open WebUI initiates a new chat session or interacts with an existing one.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eManipulation\u003c/strong\u003e: The attacker edits a model's response within a chat, preparing to inject malicious content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest Interception\u003c/strong\u003e: Using an HTTP proxy tool (e.g., Burp Suite, Caido, ZAP), the attacker intercepts the HTTP POST request sent to the server to save the modified chat history.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Injection\u003c/strong\u003e: Within the intercepted request body, the attacker locates the specific \u003ccode\u003emessages\u003c/code\u003e object corresponding to the edited text and manually adds an \u003ccode\u003eembeds\u003c/code\u003e key containing a malicious JavaScript payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence\u003c/strong\u003e: The manipulated HTTP request, now containing the XSS payload, is forwarded to the Open WebUI server, which saves the chat history, persistently storing the malicious content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation\u003c/strong\u003e: Upon refreshing the chat page or when another user views the shared malicious chat, the Open WebUI frontend renders the stored \u003ccode\u003eembeds\u003c/code\u003e content within an iFrame.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSandbox Bypass \u0026amp; Execution\u003c/strong\u003e: Due to misconfigured iFrame sandbox attributes (\u003ccode\u003eallow-scripts\u003c/code\u003e and \u003ccode\u003eallow-same-origin\u003c/code\u003e are hardcoded as true), the malicious JavaScript executes unhindered in the context of the victim's browser.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The executed script performs actions such as exfiltrating the victim's session tokens from local storage (leading to session hijacking) or, if the victim is an administrator, potentially triggering a remote code execution vulnerability on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows any authenticated user to create a weaponized chat that can be persistently stored and shared, enabling attacks against other users. Low-privilege users face a risk of session takeover if their session tokens are exfiltrated from local storage to an attacker-controlled server. For administrators, the vulnerability introduces a pathway to exposing the server to Remote Code Execution (RCE), building upon chains described in related vulnerabilities like GHSA-w7xj-8fx7-wfch. Successful exploitation grants attackers unauthorized access to user sessions and potentially server control, leading to data breaches, unauthorized modifications, or further system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-26193 on all Open WebUI instances immediately by updating to a version greater than 0.6.43.\u003c/li\u003e\n\u003cli\u003eReview web application logs and WAF/API gateway logs for unusual POST requests to chat saving endpoints (\u003ccode\u003e/api/chat/\u003c/code\u003e) that contain the 'embeds' keyword in the request body, which could indicate exploitation attempts of the vulnerability described in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T16:55:24Z","date_published":"2026-07-07T16:55:24Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openwebui-xss/","summary":"A stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions up to 0.6.43, allowing attackers to manually modify chat history to inject malicious content into response messages via iFrames with misconfigured sandboxing, leading to arbitrary script execution, potential session hijacking, and enabling Remote Code Execution (RCE) on the server for administrators.","title":"Open WebUI Stored XSS via iFrame Embeds (CVE-2026-26193)","url":"https://feed.craftedsignal.io/briefs/2026-07-openwebui-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Open WebUI (\u003c= 0.6.43)","version":"https://jsonfeed.org/version/1.1"}