Open WebUI CVE-2026-45346

Summary

There is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation.

Details

It is possible permanently save any HTML/JavaScript code in the application, which can be then executed in the context of the application domain. This behaviour can be used to extract and steal sensitive data from the application, manipulate DOM tree or being used in complex client-side attacks.

Detailed step-by-step instruction provided below. Please keep me updated about assigned CVE identifier. I'd like to be credited as: Jakub Żoczek [Securitum]

PoC

Steps to reproduce:

To reproduce this vulnerability you need to:

1. Login to Open WebUI
2. Start new conversation / thread
3. Use prompt: "Hey. Can you draw me a green circle using SVG ?"
4. SVG image should be generated.
5. Now it's possible to edit the code by simply clicking on it and adding additional code. Add payload <img src=a onerror=alert(document.domain)>
6. The whole code should look like this:

<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="40" fill="green"/>
</svg><img src="a" onerror="alert(document.domain)">ok</img>

<img width="1249" alt="AI XSS1" src="https://github.com/user-attachments/assets/75167880-79ac-4510-9743-f99bf81a215d" />

1. Now clicking "Save", the new image should get rendered, and malicious code - executed (by popping alert).

<img width="527" alt="AI XSS2" src="https://github.com/user-attachments/assets/24d4e572-97f0-438f-993d-08e1d421b349" />

Such thread could be then shared and sent to other users.

Impact

Cross-Site Scripting allows attacker to execute malicious code in context of victim's browser. This way it could be used in malicious client-side attack achieving different things, depends on attacker's goal. Such thread with rendered SVG could be shared to other user (or administrator) and gain sensitive data or even takeover someone's account.