{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26192", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-11T19:56:24.812Z", "datePublished": "2026-02-19T19:10:52.185Z", "dateUpdated": "2026-02-19T21:23:23.625Z"}, "containers": {"cna": {"title": "Open WebUI vulnerable to Stored XSS via iFrame in citations model", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-xc8p-9rr6-97r2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-xc8p-9rr6-97r2"}, {"name": "https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/src/lib/components/chat/Messages/Citations/CitationModal.svelte#L163-L170", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/src/lib/components/chat/Messages/Citations/CitationModal.svelte#L163-L170"}], "affected": [{"vendor": "open-webui", "product": "open-webui", "versions": [{"version": "< 0.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:10:52.185Z"}, "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue."}], "source": {"advisory": "GHSA-xc8p-9rr6-97r2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:16:44.642080Z", "id": "CVE-2026-26192", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:23:23.625Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26192", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T21:16:44.642080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:16:46.109Z"}}], "cna": {"title": "Open WebUI vulnerable to Stored XSS via iFrame in citations model", "source": {"advisory": "GHSA-xc8p-9rr6-97r2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "open-webui", "product": "open-webui", "versions": [{"status": "affected", "version": "< 0.7.0"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-xc8p-9rr6-97r2", "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-xc8p-9rr6-97r2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/src/lib/components/chat/Messages/Citations/CitationModal.svelte#L163-L170", "name": "https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/src/lib/components/chat/Messages/Citations/CitationModal.svelte#L163-L170", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:10:52.185Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26192", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:23:23.625Z", "dateReserved": "2026-02-11T19:56:24.812Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T19:10:52.185Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AE20317-BF77-4682-9CD1-719E5CAC3373", "versionEndExcluding": "0.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue."}], "id": "CVE-2026-26192", "lastModified": "2026-02-20T20:17:25.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T20:25:42.290", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/open-webui/open-webui/blob/6f1486ffd0cb288d0e21f41845361924e0d742b3/src/lib/components/chat/Messages/Citations/CitationModal.svelte#L163-L170"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-xc8p-9rr6-97r2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "open-webui", "source": "cna", "vendor": "open-webui"}, "product": "open-webui", "vendor": "open-webui"}], "analysis": {"en": {"generated_at": "2026-04-17T17:57:51.841241+00:00", "value": {"mitigation_remediation": ["Update Open WebUI to version 0.7.0 or later, which removes the vulnerability by disabling the rendering of document metadata as HTML.", "If an update is not yet possible, locate and delete or sanitize any document metadata entries that set the `html` property before they are stored in the database.", "Restrict editing permissions or remove the ability to manually modify chat histories for untrusted users, and ensure shared chats are protected by strong access controls."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting enabling arbitrary client\u2011side code execution"}, "threat_synthesis": {"affected_systems": "Open WebUI (open\u2011webui) versions prior to 0.7.0 are affected. Any deployment of the platform that permits manual chat history editing or the inclusion of custom metadata may be vulnerable until an update is applied.", "description_and_impact": "Open WebUI (self\u2011hosted AI platform) allows a malicious user to edit chat history and set the HTML property inside document metadata. When this property exists, the frontend renders the document content as an iframe\u2011embedded HTML page. The stored payload can then be executed each time the citation is previewed, including when the chat is shared publicly. This flaw results in a stored XSS vulnerability that can run arbitrary scripts in the victim\u2019s browser without additional user interaction.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high impact potential. Although the EPSS score is below 1%, the existence of the vulnerability in a widely used self\u2011hosted solution keeps the risk alive. The CISA KEV catalog does not list this issue, but that does not negate the attack surface. An attacker needs the ability to edit the chat history or inject content into a document. Once the attack vector is established, the stored script will covertly execute in any user\u2019s browser that opens the citation, including users who view shared conversations. The scope is primarily client\u2011side code execution, potentially exposing session information, facilitating credential theft, or delivering other malicious actions on the victim\u2019s behalf."}}}}, "created": "2026-02-20T10:05:51.317526+00:00", "updated": "2026-04-17T18:00:12.192828+00:00", "vendors": ["open-webui", "open-webui$PRODUCT$open-webui"]}