CVE-2026-44721

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.3.5 through 0.8.12

Description A stored cross-site scripting (XSS) issue allows authenticated users with model creation permissions (workspace.models) to execute arbitrary JavaScript in the browsers of other users, including administrators, who view a malicious model in the chat UI. The flaw exists because model descriptions are processed through a pipeline where sanitizeResponseContent() only escapes angle brackets, but does not block javascript: URIs. Subsequently, marked.parse() converts markdown links into anchor tags, and Svelte's {@html} directive renders the resulting raw HTML without further sanitization. This can be exploited to steal session tokens from local storage, potentially leading to arbitrary code execution if an administrator's token is compromised.

Recommendations Update to version 0.9.0. As a temporary workaround, restrict the workspace.models permission to trusted users only to prevent the creation of malicious models.