CVE-2026-44721 Overview
Open WebUI is a self-hosted artificial intelligence platform built to operate entirely offline. A stored cross-site scripting (XSS) vulnerability [CWE-79] affects versions prior to 0.9.0. Any authenticated user with the workspace.models permission can inject JavaScript into a model definition. The payload executes in the browser of any user, including administrators, who later opens the malicious model in the chat interface. The maintainers resolved the issue in version 0.9.0.
Critical Impact
Stored JavaScript executes in victim browsers when they view a poisoned model, enabling session theft, account takeover, and pivoting to administrator privileges.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments allowing model creation by non-admin users
- Multi-tenant Open WebUI instances exposed to multiple authenticated users
Discovery Timeline
- 2026-05-15 - CVE-2026-44721 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44721
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw in the Open WebUI model workspace. Open WebUI renders model metadata supplied by users with the workspace.models permission. When a user with that permission creates or edits a model, attacker-controlled content is persisted to the backend store. The chat UI later renders that content without sufficient output encoding or HTML sanitization. As a result, arbitrary JavaScript runs under the origin of the Open WebUI application in any viewer's session.
Exploitation requires the victim to interact with the malicious model in the chat UI, which typically occurs during normal product use. Because admins routinely review user-created models, attackers can reliably reach privileged sessions and exfiltrate authentication cookies or tokens.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. Model fields rendered in the chat UI accept HTML or JavaScript constructs that should be escaped or stripped. The absence of contextual output encoding allows persisted user input to break out of its intended display context and execute as script.
Attack Vector
An attacker first authenticates to Open WebUI with an account holding the workspace.models permission. The attacker then creates a model whose metadata contains a JavaScript payload. When a second user, including an administrator, opens that model in the chat UI, the browser parses and executes the payload. The script runs with the victim's session privileges and can call backend APIs, read DOM content, or exfiltrate tokens to attacker infrastructure.
No synthetic exploit code is reproduced here. Refer to the GitHub Security Advisory GHSA-gf5m-wcrh-7928 for vendor-published details.
Detection Methods for CVE-2026-44721
Indicators of Compromise
- Model records in the Open WebUI database containing <script>, onerror=, onload=, or javascript: patterns in name, description, or system prompt fields
- Outbound browser requests from admin sessions to unexpected external domains shortly after opening a user-created model
- New or modified models created by non-admin accounts with the workspace.models permission
Detection Strategies
- Query the Open WebUI model store for HTML or JavaScript tokens inside model metadata fields
- Review reverse proxy and web server logs for POST and PUT requests to model endpoints originating from low-privileged users
- Correlate admin browser telemetry with model-view events to identify script execution against privileged sessions
Monitoring Recommendations
- Alert on creation or modification of models by accounts that do not normally manage models
- Monitor for anomalous JavaScript-initiated network connections from authenticated Open WebUI sessions
- Track elevation events such as new API tokens, password changes, or role changes that follow model interactions
How to Mitigate CVE-2026-44721
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.0 or later on all instances
- Audit existing models for embedded HTML or JavaScript content and remove or sanitize affected records
- Review which user accounts hold the workspace.models permission and revoke it where not required
- Rotate session tokens and API keys for administrator accounts that may have viewed malicious models
Patch Information
The vendor fixed CVE-2026-44721 in Open WebUI 0.9.0. See the Open WebUI GitHub Security Advisory GHSA-gf5m-wcrh-7928 for the official advisory and release information.
Workarounds
- Restrict the workspace.models permission to a small group of trusted users until the upgrade is applied
- Place Open WebUI behind a reverse proxy that enforces a strict Content Security Policy to limit inline script execution
- Disable or hide user-created models in shared environments until administrators verify their contents
# Upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:0.9.0
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
