Skip to main content

Open WebUI CVE-2026-54011

| EUVDEUVD-2026-38531 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 https://github.com/open-webui/open-webui GHSA-v8qj-hxv7-mgvv
5.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (https://github.com/open-webui/open-webui) PRIMARY
HIGH
qualitative
NVD
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
8.7 HIGH

Network-reachable upload requires a low-privileged account (PR:L) and victim click (UI:R); script runs under app origin affecting another user (S:C) with high C/I impact and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (https://github.com/open-webui/open-webui).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 25, 2026 - 13:52 NVD
HIGH MEDIUM
CVSS changed
Jun 25, 2026 - 13:52 NVD
8.7 (HIGH) 5.4 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 01:31 vuln.today
Analysis Generated
Jun 18, 2026 - 01:31 vuln.today

DescriptionNVD

Summary

Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.

Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin.

This is a confirmed stored XSS vulnerability reachable through normal product functionality.

Affected Version

  • main
  • Reproduced on v0.8.12

Affected Code

Mermaid is initialized in permissive mode:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/FileNav/FilePreview.svelte#L133

Impact

A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel.

PoC

A malicious .md file containing the follwowing contents can be used to trigger the bug:

`

flowchart LR A[click me] click A href "javascript:alert(document.domain)" "x"

Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with .md extension. <img width="331" height="258" alt="image" src="https://github.com/user-attachments/assets/bce2b754-56d1-4da1-90a9-22bcb93269f2" /> 3- Clicking on the file, and clicking click me should pop an alert <img width="1103" height="485" alt="image" src="https://github.com/user-attachments/assets/18754486-799b-434e-a2fc-dd7c09956a29" />

Remediation

Since mermaid has DOMPurify as a built-in, it is recommended to use the strict mode instead of loose.

AnalysisAI

Stored cross-site scripting in Open WebUI up to and including v0.9.5 allows authenticated users to execute arbitrary JavaScript in another user's browser under the application origin by uploading a malicious Markdown file containing a crafted Mermaid diagram. The flaw stems from Mermaid being initialized with securityLevel:'loose' and its SVG output being injected via innerHTML in the file preview panel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Open WebUI
Delivery
Upload malicious Markdown with Mermaid click directive
Exploit
Lure victim to open file preview
Execution
Victim clicks rendered diagram node
Persist
javascript: URI fires under app origin
Impact
Steal session or perform CSRF actions

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an Open WebUI instance running a vulnerable version (≤ 0.9.5) where Mermaid is initialized with securityLevel:'loose', (2) an attacker holding low-privileged credentials sufficient to start a chat and upload files with Code Interpreter enabled, (3) a victim user who subsequently opens the malicious .md attachment in the file preview panel AND clicks the rendered Mermaid node containing the javascript: href, and (4) absence of a restrictive Content Security Policy blocking javascript: URIs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N reflects a network-reachable, low-complexity attack that requires a low-privileged uploader and a victim interaction (opening the file and clicking the diagram), with a scope change because script runs in the victim's browser under the Open WebUI origin rather than the uploader's session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged Open WebUI account creates a chat, enables Code Interpreter, and uploads a .md file containing a Mermaid flowchart whose click directive points to a javascript: URI; the file persists in the workspace. When an administrator or another user opens the file preview and clicks the rendered node, arbitrary JavaScript executes in their browser under the Open WebUI origin, enabling session token theft, CSRF against admin endpoints, or pivot into account takeover. …
Remediation Upgrade Open WebUI to version 0.9.6 or later (Vendor-released patch: 0.9.6), available via pip install --upgrade open-webui and tracked at https://github.com/open-webui/open-webui/security/advisories/GHSA-v8qj-hxv7-mgvv; the underlying fix changes Mermaid initialization from securityLevel:'loose' to 'strict' so Mermaid's built-in DOMPurify sanitizes output. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Open WebUI deployments and confirm versions ≤0.9.5; disable file upload and Markdown preview features immediately as interim control. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54011 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy