CVE-2026-44721 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances with multiple authenticated users, particularly those with delegated model creation permissions. Security teams responsible for AI/ML platform security and administrators of internal AI chat interfaces.

Technical summary

Open WebUI versions prior to 0.9.0 contain a stored XSS vulnerability in the model creation functionality. Any authenticated user with workspace.models permission can embed malicious JavaScript within model definitions. When other users (including administrators) view the compromised model in the chat interface, the embedded script executes in their browser context. This enables session hijacking, privilege escalation, and unauthorized actions on behalf of victim users. The vulnerability requires low attack complexity and user interaction, with high impact to confidentiality and integrity per CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.0 or later to remediate this vulnerability.
• Review and restrict workspace.models permissions to only trusted administrators until patching is complete.
• Audit existing models for malicious JavaScript payloads, particularly those created by non-administrative users.
• Implement Content Security Policy (CSP) headers as a defense-in-depth measure to mitigate XSS impact.
• Monitor web application logs for suspicious model creation activity or unusual script execution patterns.

Evidence notes

CVE published 2026-05-15; NVD record modified 2026-05-19. Vendor advisory confirms exploitability and fix in version 0.9.0. CPE criteria confirms affected versions are all releases before 0.9.0.

Official resources