Open WebUI XSS Vulnerability Exposes Offline AI Platforms

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
Open WebUI XSS Vulnerability Exposes Offline AI Platforms

The National Vulnerability Database has detailed CVE-2026-44549, a high-severity Cross-Site Scripting (XSS) vulnerability affecting Open WebUI, a self-hosted AI platform. This flaw, present in versions prior to 0.8.0, allows a specially crafted Excel file (XLSX) to embed an XSS payload. When the sheetjs function sheet_to_html processes the file, it injects the payload into the generated HTML, which is then added to the DOM unsanitized via @html, triggering the XSS.

This isn’t just a theoretical bug; it’s a direct path to client-side compromise within an environment intended for offline use and enhanced security. Attackers can leverage this to steal session tokens, manipulate user interfaces, or redirect users. The CVSS score of 7.3 (HIGH) underscores the significant impact, particularly the high confidentiality and integrity impacts (C:H/I:H) noted in the vector. It’s a classic case of improper input sanitization leading to critical consequences.

Open WebUI’s promise is secure, offline AI. This vulnerability fundamentally undermines that. Organizations deploying Open WebUI for sensitive internal AI applications must prioritize patching. An attacker only needs to convince a user to open a malicious Excel file within the platform, a relatively low bar for a targeted attack. The fix is in version 0.8.0, making remediation straightforward.

What This Means For You

  • If your organization uses Open WebUI, you need to verify your version immediately. If you're running anything prior to 0.8.0, you are vulnerable to client-side compromise via malicious Excel files. Patch to 0.8.0 or later without delay. Review your internal policies regarding document handling within AI platforms, even those designed for offline operation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Attachment Initial Access T1059.007 Command and Scripting Interpreter: JavaScript Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-44549 - Open WebUI XLSX XSS via sheet_to_html

Sigma YAML — free preview 
title: CVE-2026-44549 - Open WebUI XLSX XSS via sheet_to_html
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects requests to the Open WebUI file preview endpoint that contain the 'sheet_to_html' function in the query string, indicative of an attempt to exploit CVE-2026-44549. This vulnerability allows for Cross-Site Scripting (XSS) by crafting a malicious XLSX file that, when previewed, embeds an XSS payload into the generated HTML.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44549/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/files/preview/'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
  selection_payload:
      cs-uri-query|contains:
          - 'sheet_to_html'
  condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44549 XSS Open WebUI versions prior to 0.8.0
CVE-2026-44549 XSS Crafted XLSX file payload
CVE-2026-44549 XSS sheetjs function sheet_to_html
CVE-2026-44549 XSS Unsanitized @html embedding

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Open WebUI XSS Allows Privilege Escalation to Super Admin

CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into...

vulnerabilityCVEmedium-severitycwe-200
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-45350: Open WebUI API Flaw Exposes Tools to Unauthorized Access

CVE-2026-45350 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma