<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Open WebUI (&lt;= 0.6.43) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/open-webui--0.6.43/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 16:55:24 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/open-webui--0.6.43/feed.xml" rel="self" type="application/rss+xml"/><item><title>Open WebUI Stored XSS via iFrame Embeds (CVE-2026-26193)</title><link>https://feed.craftedsignal.io/briefs/2026-07-openwebui-xss/</link><pubDate>Tue, 07 Jul 2026 16:55:24 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openwebui-xss/</guid><description>A stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions up to 0.6.43, allowing attackers to manually modify chat history to inject malicious content into response messages via iFrames with misconfigured sandboxing, leading to arbitrary script execution, potential session hijacking, and enabling Remote Code Execution (RCE) on the server for administrators.</description><content:encoded><![CDATA[<p>A critical stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-26193, has been discovered in Open WebUI versions up to and including 0.6.43. This flaw allows attackers to inject malicious code into chat response messages by manually manipulating the chat history to set a user-controlled <code>embeds</code> property. The injected content is rendered within an iFrame whose sandbox attributes (<code>allow-scripts</code> and <code>allow-same-origin</code>) are hardcoded as true, effectively nullifying security protections. This bypass enables arbitrary JavaScript execution in the context of the user's browser. The vulnerability poses a significant risk as it can lead to session hijacking for low-privilege users by exfiltrating local storage tokens, and for administrators, it could pave the way for Remote Code Execution (RCE) on the server, as highlighted by related vulnerabilities. The malicious chat can be persistently stored and subsequently shared with other users, allowing the attack to propagate across the platform.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / Pre-computation</strong>: An attacker with legitimate user access to Open WebUI initiates a new chat session or interacts with an existing one.</li>
<li><strong>Manipulation</strong>: The attacker edits a model's response within a chat, preparing to inject malicious content.</li>
<li><strong>Request Interception</strong>: Using an HTTP proxy tool (e.g., Burp Suite, Caido, ZAP), the attacker intercepts the HTTP POST request sent to the server to save the modified chat history.</li>
<li><strong>Payload Injection</strong>: Within the intercepted request body, the attacker locates the specific <code>messages</code> object corresponding to the edited text and manually adds an <code>embeds</code> key containing a malicious JavaScript payload.</li>
<li><strong>Persistence</strong>: The manipulated HTTP request, now containing the XSS payload, is forwarded to the Open WebUI server, which saves the chat history, persistently storing the malicious content.</li>
<li><strong>Exploitation</strong>: Upon refreshing the chat page or when another user views the shared malicious chat, the Open WebUI frontend renders the stored <code>embeds</code> content within an iFrame.</li>
<li><strong>Sandbox Bypass &amp; Execution</strong>: Due to misconfigured iFrame sandbox attributes (<code>allow-scripts</code> and <code>allow-same-origin</code> are hardcoded as true), the malicious JavaScript executes unhindered in the context of the victim's browser.</li>
<li><strong>Impact</strong>: The executed script performs actions such as exfiltrating the victim's session tokens from local storage (leading to session hijacking) or, if the victim is an administrator, potentially triggering a remote code execution vulnerability on the server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows any authenticated user to create a weaponized chat that can be persistently stored and shared, enabling attacks against other users. Low-privilege users face a risk of session takeover if their session tokens are exfiltrated from local storage to an attacker-controlled server. For administrators, the vulnerability introduces a pathway to exposing the server to Remote Code Execution (RCE), building upon chains described in related vulnerabilities like GHSA-w7xj-8fx7-wfch. Successful exploitation grants attackers unauthorized access to user sessions and potentially server control, leading to data breaches, unauthorized modifications, or further system compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-26193 on all Open WebUI instances immediately by updating to a version greater than 0.6.43.</li>
<li>Review web application logs and WAF/API gateway logs for unusual POST requests to chat saving endpoints (<code>/api/chat/</code>) that contain the 'embeds' keyword in the request body, which could indicate exploitation attempts of the vulnerability described in this brief.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>web-application</category><category>open-webui</category><category>cve</category></item></channel></rss>