CVE-2026-45303 Overview
CVE-2026-45303 is a stored cross-site scripting (XSS) vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Versions prior to 0.6.5 allow attackers to inject and execute scripts through the HTML rendering view of the chat interface. The frontend embeds chat HTML content inside an iFrame configured with the allow-scripts allow-forms allow-same-origin sandbox directive. This combination nullifies the sandbox protections and grants injected scripts access to the parent origin and its local storage. The issue is tracked as [CWE-79] and fixed in version 0.6.5.
Critical Impact
Injected scripts execute with access to the parent origin's local storage, enabling session token theft, account compromise, and full hijack of the Open WebUI instance.
Affected Products
- Open WebUI versions prior to 0.6.5
- Self-hosted Open WebUI deployments rendering HTML chat content
- Multi-user Open WebUI instances where chats can be shared between accounts
Discovery Timeline
- 2026-05-15 - CVE-2026-45303 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45303
Vulnerability Analysis
Open WebUI provides an HTML rendering view that lets users visualize HTML content produced during a chat session. The frontend wraps this content in an iFrame and applies the sandbox attribute with allow-scripts, allow-forms, and allow-same-origin directives. Combining allow-scripts and allow-same-origin is explicitly warned against in the HTML sandbox specification because it effectively removes the isolation the sandbox is supposed to enforce. Injected JavaScript runs with the privileges of the parent document and can read localStorage, including authentication tokens. Only a narrow set of restrictions remain, such as suppressing alert() dialogs, which does not prevent meaningful attacker actions.
Root Cause
The root cause is an insecure iFrame sandbox configuration that pairs allow-scripts with allow-same-origin. Content rendered from untrusted chat data is treated as if it originated from the application itself. The application does not strip or neutralize active HTML elements such as <script> tags, inline event handlers, or <iframe> sources before rendering.
Attack Vector
An attacker with low privileges crafts a chat message or model response containing malicious HTML and JavaScript. When a victim opens the HTML rendering view for that chat, the payload executes inside the iFrame but with same-origin access to the Open WebUI parent window. The script can exfiltrate session data from localStorage, issue authenticated API requests, or modify stored chats. User interaction is required because the victim must trigger the HTML view, which is reflected in the attack complexity rating.
No public proof-of-concept code is available. The vendor's GitHub Security Advisory GHSA-4vrc-m9ch-6m3r documents the underlying sandbox misconfiguration and the fix.
Detection Methods for CVE-2026-45303
Indicators of Compromise
- Chat records containing <script> tags, inline on* event handlers, or obfuscated JavaScript payloads stored in the Open WebUI database.
- Outbound HTTP requests from user browsers to attacker-controlled domains shortly after rendering an HTML chat view.
- Unexpected reads or writes to browser localStorage keys belonging to the Open WebUI origin.
Detection Strategies
- Audit the Open WebUI chat database for stored messages containing HTML script constructs or suspicious iframe sources.
- Inspect web server and reverse proxy logs for unusual API call patterns originating from authenticated sessions immediately after HTML view interactions.
- Deploy Content Security Policy (CSP) reporting to capture script execution attempts that violate expected origins.
Monitoring Recommendations
- Monitor browser telemetry for anomalous DOM access against the Open WebUI origin and correlate with chat rendering events.
- Track the deployed Open WebUI version across hosts and alert when instances run versions earlier than 0.6.5.
- Review user account activity for unexpected privilege changes or token reuse that may indicate session hijack from stolen localStorage data.
How to Mitigate CVE-2026-45303
Immediate Actions Required
- Upgrade all Open WebUI instances to version 0.6.5 or later, which removes the unsafe sandbox configuration.
- Invalidate active sessions and rotate API tokens for any account that may have rendered untrusted HTML content prior to patching.
- Restrict who can submit chat content on shared or multi-tenant Open WebUI deployments until the upgrade is complete.
Patch Information
The vulnerability is fixed in Open WebUI 0.6.5. Refer to the Open WebUI GitHub Security Advisory GHSA-4vrc-m9ch-6m3r for vendor guidance and release details.
Workarounds
- Disable the HTML rendering view feature in deployments that cannot upgrade immediately.
- Place Open WebUI behind a reverse proxy that injects a strict Content Security Policy disallowing inline scripts on the application origin.
- Limit Open WebUI access to trusted users only and avoid sharing chats between accounts until patched.
# Configuration example: upgrade Open WebUI container to the patched release
docker pull ghcr.io/open-webui/open-webui:0.6.5
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui \
-p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.6.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
