CVE-2026-45303: Open WebUI Vulnerability Allows Script Injection

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-79
CVE-2026-45303: Open WebUI Vulnerability Allows Script Injection

The National Vulnerability Database has detailed CVE-2026-45303, a high-severity vulnerability impacting Open WebUI, a self-hosted AI platform. Prior to version 0.6.5, the platform’s HTML rendering view was susceptible to script injection and execution. The issue stems from how Open WebUI visualizes chat content within an iFrame. While a sandbox directive was in place, it was configured with allow-scripts, allow-forms, and allow-same-origin permissions.

This permissive configuration effectively nullified the sandbox’s security benefits, granting injected scripts significant access. Attackers could execute arbitrary scripts and access the parent’s data, including local storage. The National Vulnerability Database assigned a CVSS score of 7.7 (HIGH), with a vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N, highlighting the significant impact on confidentiality and integrity if exploited.

This vulnerability is a stark reminder that sandbox implementations are only as secure as their most permissive directives. Defenders running Open WebUI must prioritize upgrading to version 0.6.5 immediately. The attacker’s calculus here is straightforward: leverage a seemingly benign feature to gain broad access within the application context. For CISOs, this underscores the need for rigorous security reviews of all third-party components, even those designed for offline operation, and a deep understanding of how sandboxing attributes truly function.

What This Means For You

  • If your organization uses Open WebUI, you are exposed to script injection via CVE-2026-45303. Immediately upgrade to version 0.6.5 or later to mitigate this high-severity risk. Review your configurations to ensure no unnecessary `allow-scripts` or `allow-same-origin` directives are present in any sandboxed environments.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.007 JavaScript Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-45303: Open WebUI HTML Rendering Script Injection

Sigma YAML — free preview 
title: CVE-2026-45303: Open WebUI HTML Rendering Script Injection
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-45303 by targeting the /api/chat/render-html endpoint with parameters that enable script execution within an iframe, indicating a potential script injection attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45303/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/chat/render-html'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'allow-scripts'
          - 'allow-same-origin'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45303 XSS Open WebUI versions prior to 0.6.5
CVE-2026-45303 Code Injection Open WebUI HTML rendering view allows script injection
CVE-2026-45303 Misconfiguration iFrame sandbox directive 'allow-scripts allow-forms allow-same-origin' in Open WebUI

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Open WebUI XSS Allows Privilege Escalation to Super Admin

CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into...

vulnerabilityCVEmedium-severitycwe-200
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-45350: Open WebUI API Flaw Exposes Tools to Unauthorized Access

CVE-2026-45350 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma