Open WebUI XSS Allows Privilege Escalation to Super Admin

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
Open WebUI XSS Allows Privilege Escalation to Super Admin

The National Vulnerability Database has detailed CVE-2026-45665, a high-severity (CVSS 8.1) Stored Cross-Site Scripting (XSS) vulnerability in Open WebUI. This self-hosted AI platform, designed for offline operation, was vulnerable in versions prior to 0.8.0. The flaw stems from an improper sanitization order in the Banner component, where DOMPurify is executed before the marked library, leaving an opening for malicious code.

This vulnerability is critical because it enables privilege escalation. A compromised or malicious administrator can inject a payload into the global banner. This malicious banner then renders for all users, including the Super Admin. The National Vulnerability Database confirms this bypasses existing security mechanisms, allowing an attacker to steal the Super Admin’s session token. The fix is available in Open WebUI version 0.8.0.

This isn’t just a theoretical bug; it’s a direct path to full administrative control. For any organization using Open WebUI, this XSS represents a significant internal threat vector. An attacker doesn’t need to break into the system from the outside if they can compromise a lower-privileged admin and then leverage this vulnerability to jump to the highest access level.

What This Means For You

  • If your organization deploys Open WebUI, you need to verify your version immediately. Patch to 0.8.0 or later to remediate CVE-2026-45665. Audit your admin accounts for any suspicious activity, especially if you've been running older versions. This is a clear path for an insider threat or a compromised account to take over your entire AI platform.

Related ATT&CK Techniques

T1189 Drive-by Compromise Initial Access T1059.007 JavaScript Execution T1105 Ingress Tool Transfer Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1189 Initial Access

CVE-2026-45665 - Open WebUI Stored XSS in Banner Component

Sigma YAML — free preview 
title: CVE-2026-45665 - Open WebUI Stored XSS in Banner Component
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects the specific API endpoint used to update the banner in Open WebUI. An attacker can exploit CVE-2026-45665 by injecting a stored XSS payload into the banner via a POST request to '/api/settings/update-banner'. This rule looks for requests to this endpoint that contain script tags in the query, indicating a potential XSS attempt to compromise the Super Admin session.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45665/
tags:
  - attack.initial_access
  - attack.t1189
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/api/settings/update-banner'
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '200'
  selection_indicators:
      cs-uri-query|contains:
          - '<script>'
      condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45665 XSS Open WebUI versions prior to 0.8.0
CVE-2026-45665 XSS Vulnerable component: Banner
CVE-2026-45665 Privilege Escalation Attack vector: Malicious payload in global banner to steal Super Admin session token

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into...

vulnerabilityCVEmedium-severitycwe-200
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-45350: Open WebUI API Flaw Exposes Tools to Unauthorized Access

CVE-2026-45350 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-45345 — Open WebUI is a self-hosted artificial intelligence

CVE-2026-45345 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model...

vulnerabilityCVEmedium-severitycwe-285
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma