CVE-2026-45315

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.3

Description An issue exists where the audio transcription upload endpoint uses the file extension from a user-supplied filename to save files. The '/cache/{path}' route serves these files via FileResponse, which determines the Content-Type based on the on-disk extension and does not emit a Content-Disposition header. A verified user with the chat.stt permission can upload a polyglot WAV+HTML file (a file that is valid as both a WAV audio file and an HTML document) and trick other users into opening the URL. This results in the response being served as 'text/html', allowing embedded <script> tags to execute in the Open WebUI origin, leading to stored Cross-Site Scripting (XSS). This can be used to steal session tokens, such as JWTs from localStorage or non-HttpOnly OAuth cookies, potentially enabling full account takeover.

Recommendations Update to version 0.9.3. As a temporary workaround, set USER PERMISSIONS CHAT STT to False to revoke upload rights from non-admin users.