Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26193

CVE-2026-26193: Open WebUI Stored XSS Vulnerability

CVE-2026-26193 is a stored cross-site scripting flaw in Open WebUI that allows attackers to inject malicious scripts via chat history. This article covers the technical details, affected versions, and mitigation steps.

Published: February 20, 2026

CVE-2026-26193 Overview

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.6.44 that allows attackers to inject malicious scripts through manually modified chat history. The vulnerability stems from improper handling of the embeds property on response messages, which are loaded into an iFrame with a sandbox configuration that includes allow-scripts and allow-same-origin, bypassing the "iframe Sandbox Allow Same Origin" configuration setting.

Critical Impact

This stored XSS vulnerability enables attackers to create shareable links containing malicious payloads that can be distributed to any user on the Open WebUI instance, potentially compromising user sessions and sensitive data.

Affected Products

  • Open WebUI versions prior to 0.6.44

Discovery Timeline

  • 2026-02-19 - CVE CVE-2026-26193 published to NVD
  • 2026-02-19 - Last updated in NVD database

Technical Details for CVE-2026-26193

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw allows authenticated attackers to bypass security controls by manually manipulating chat history to set the embeds property on response messages.

The core issue lies in the iFrame sandbox configuration within the ResponseMessage.svelte component. When embedding content, the application sets both allow-scripts and allow-same-origin sandbox attributes simultaneously. This combination is particularly dangerous because it effectively negates the security benefits of sandboxing—scripts running within the iFrame can access the parent document's DOM and cookies as if no sandbox existed.

The vulnerability has significant implications for confidentiality and integrity, as successful exploitation could allow attackers to steal session tokens, manipulate displayed content, or perform actions on behalf of authenticated users. The attack requires user interaction (clicking a shared link) and low privileges (authenticated access), but the network-accessible nature of the platform increases the overall risk.

Root Cause

The root cause is the insecure iFrame sandbox configuration in the ResponseMessage.svelte component. The application fails to properly restrict embedded content permissions by allowing both script execution (allow-scripts) and same-origin access (allow-same-origin) within the sandbox. This configuration ignores the application's "iframe Sandbox Allow Same Origin" setting, creating a security bypass that enables stored XSS attacks through the embeds property of chat messages.

Attack Vector

The attack vector is network-based and requires an authenticated attacker with the ability to modify chat history. The exploitation flow involves:

  1. An authenticated attacker manually modifies their chat history to inject a malicious payload into the embeds property of a response message
  2. The malicious content is rendered within an iFrame that has dangerous sandbox permissions
  3. The attacker shares the compromised chat using the platform's sharing functionality
  4. When other users access the shared link, the malicious script executes in their browser context with same-origin privileges
  5. The script can then access session data, perform unauthorized actions, or further propagate the attack

The vulnerability can be exploited through the shared chat format, making it particularly effective for targeting multiple users across the Open WebUI instance. For technical implementation details, refer to the GitHub Code Snippet and GitHub Security Advisory.

Detection Methods for CVE-2026-26193

Indicators of Compromise

  • Unusual modifications to chat history records containing embeds properties with script content
  • Shared chat links containing suspicious JavaScript or HTML payloads
  • Unexpected network requests originating from iFrame contexts to external domains
  • User reports of unexpected behavior when accessing shared chat links

Detection Strategies

  • Monitor chat database records for the presence of embeds properties containing HTML or JavaScript content
  • Implement Content Security Policy (CSP) violation logging to detect script execution attempts from embedded content
  • Review web server access logs for patterns indicating distribution of malicious shared chat links
  • Deploy browser-based XSS detection tools to identify script injection attempts in chat content

Monitoring Recommendations

  • Enable verbose logging for chat history modifications and sharing events
  • Implement real-time alerting for CSP violations related to iFrame content
  • Monitor user activity patterns for unusual chat sharing behavior, especially bulk sharing operations
  • Configure SentinelOne Singularity Platform to detect and block XSS attack patterns targeting web applications

How to Mitigate CVE-2026-26193

Immediate Actions Required

  • Upgrade Open WebUI to version 0.6.44 or later immediately
  • Audit existing shared chat links for potential malicious content
  • Review chat history records for suspicious embeds property modifications
  • Invalidate and regenerate session tokens for all users as a precautionary measure

Patch Information

The vulnerability has been addressed in Open WebUI version 0.6.44. Organizations should upgrade to this version or later to remediate the vulnerability. The fix properly restricts the iFrame sandbox configuration to prevent the allow-same-origin permission from being set in conjunction with allow-scripts. For complete details about the security fix, refer to the GitHub Security Advisory.

Workarounds

  • Disable the chat sharing feature until the patch can be applied
  • Implement additional Content Security Policy headers to restrict script execution in embedded content
  • Restrict user access to chat history modification capabilities where possible
  • Deploy a web application firewall (WAF) with XSS detection rules to filter malicious payloads
bash
# Example: Add restrictive Content Security Policy header
# In your reverse proxy (nginx example):
add_header Content-Security-Policy "frame-src 'self'; script-src 'self'; frame-ancestors 'self';" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechOpen Webui
  • SeverityHIGH
  • CVSS Score7.3
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityNone
  • CWE References
  • CWE-79
  • Technical References
  • GitHub Code Snippet
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-26192: Open WebUI Stored XSS Vulnerability
  • CVE-2026-34225: Open WebUI Blind SSRF Vulnerability
  • CVE-2026-34222: Open WebUI Auth Bypass Vulnerability
  • CVE-2026-29070: Open WebUI Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English