Skip to main content

Open WebUI CVE-2026-45346

| EUVDEUVD-2026-30651 MEDIUM
Basic XSS (CWE-80)
2026-05-14 https://github.com/open-webui/open-webui GHSA-r29h-37fj-x2w6
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
CVSS changed
May 15, 2026 - 22:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 21:20 vuln.today
Analysis Generated
May 14, 2026 - 21:20 vuln.today
CVE Published
May 14, 2026 - 20:21 nvd
MEDIUM

DescriptionGitHub Advisory

Summary

There is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation.

Details

It is possible permanently save any HTML/JavaScript code in the application, which can be then executed in the context of the application domain. This behaviour can be used to extract and steal sensitive data from the application, manipulate DOM tree or being used in complex client-side attacks.

Detailed step-by-step instruction provided below. Please keep me updated about assigned CVE identifier. I'd like to be credited as: Jakub Żoczek [Securitum]

PoC

Steps to reproduce:

To reproduce this vulnerability you need to:

  1. Login to Open WebUI
  2. Start new conversation / thread
  3. Use prompt: "Hey. Can you draw me a green circle using SVG ?"
  4. SVG image should be generated.
  5. Now it's possible to edit the code by simply clicking on it and adding additional code. Add payload <img src=a onerror=alert(document.domain)>
  6. The whole code should look like this:
<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="40" fill="green"/>
</svg><img src="a" onerror="alert(document.domain)">ok</img>

<img width="1249" alt="AI XSS1" src="https://github.com/user-attachments/assets/75167880-79ac-4510-9743-f99bf81a215d" />

  1. Now clicking "Save", the new image should get rendered, and malicious code - executed (by popping alert).

<img width="527" alt="AI XSS2" src="https://github.com/user-attachments/assets/24d4e572-97f0-438f-993d-08e1d421b349" />

Such thread could be then shared and sent to other users.

Impact

Cross-Site Scripting allows attacker to execute malicious code in context of victim's browser. This way it could be used in malicious client-side attack achieving different things, depends on attacker's goal. Such thread with rendered SVG could be shared to other user (or administrator) and gain sensitive data or even takeover someone's account.

AnalysisAI

Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.

Technical ContextAI

Open WebUI renders user-editable SVG code in conversations without proper sanitization of embedded HTML elements. The vulnerability stems from insufficient input validation in the SVG renderer component, which allows injection of non-SVG HTML elements (such as img tags with event handlers) that are executed by the browser. The root cause is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a variant of improper output encoding. The npm package open-webui contains the vulnerable SVG parsing and rendering logic that fails to strip or escape HTML payloads before storing and displaying user-generated SVG content.

RemediationAI

Upgrade Open WebUI npm package immediately to version 0.6.31 or later, which contains vendor-released patches addressing SVG sanitization. Execute 'npm update open-webui@0.6.31' or equivalent package manager command and restart the application. As a temporary compensating control for deployments unable to patch immediately, disable SVG editing features by restricting access to the SVG code editor endpoint (typically /api/messages/edit or equivalent conversation editing routes) at the reverse proxy or application-level access control layer - note that this prevents legitimate SVG usage and is not a permanent solution. Additionally, audit all existing conversations for injected payloads by searching the database for HTML elements outside valid SVG namespaces (e.g., img, script, iframe tags) in stored message content. Consider implementing a Web Application Firewall rule to block requests containing onerror, onload, or other event handler attributes in conversation edit operations. Inform users not to click links to potentially untrusted shared conversations until patching is complete.

Share

CVE-2026-45346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy