CVE-2026-45303 open-webui CVE debrief

Who should care

Organizations operating self-hosted Open WebUI instances for offline AI workloads, particularly those processing untrusted or multi-tenant chat content. Security teams responsible for AI platform hardening and developers implementing sandboxed content rendering in web applications.

Technical summary

The vulnerability exists in Open WebUI's HTML visualization feature, which renders chat content in a sandboxed iFrame. The sandbox attribute includes `allow-scripts`, `allow-forms`, and `allow-same-origin` permissions. The `allow-same-origin` directive combined with `allow-scripts` permits the embedded content to access the parent document's origin, including local storage and cookies. This configuration defeats the primary security purpose of the sandbox, allowing injected scripts to bypass isolation boundaries. The attack requires user interaction to view malicious content and low privileges to inject HTML, with high attack complexity due to the need to craft effective payloads within the sandbox constraints. The vulnerability does not affect availability per the CVSS vector.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Open WebUI to version 0.6.5 or later to remediate the sandbox escape vulnerability
• Review chat content sanitization controls to prevent injection of malicious HTML
• Audit local storage and session data accessible to the application for sensitive information
• Consider implementing Content Security Policy (CSP) headers as defense-in-depth for iFrame content
• Monitor for anomalous script execution patterns in browser-based AI platform deployments

Evidence notes

Vulnerability confirmed through vendor security advisory GHSA-4vrc-m9ch-6m3r. Affected versions identified via CPE criteria as all versions prior to 0.6.5. CVSS score and vector sourced from NVD record. CWE-79 classification provided by GitHub Security Advisories.

Official resources