PatchSiren cyber security CVE debrief
CVE-2026-45346 Openwebui CVE debrief
CVE-2026-45346 is a medium-severity cross-site scripting issue in Open WebUI’s SVG renderer implementation. According to the vendor-linked advisory and NVD record, the vulnerability affects versions prior to 0.6.31 and is fixed in 0.6.31. The NVD entry classifies the weakness as CWE-80 and shows a CVSS 4.0 vector indicating network exposure with low attack complexity, but requiring low privileges and user interaction.
- Vendor
- Openwebui
- Product
- Open Webui
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Administrators and security teams running self-hosted Open WebUI deployments, especially any instance that accepts or renders SVG content from users or other untrusted sources. Web application owners should also review any workflows that embed Open WebUI content in browsers or internal portals.
Technical summary
The issue is a cross-site scripting flaw in Open WebUI’s SVG renderer implementation. The NVD record marks the affected CPE as openwebui:open_webui with the vulnerable range ending before 0.6.31, and the GitHub security advisory is the vendor reference for remediation. The weakness is mapped to CWE-80. Based on the CVSS vector provided by NVD, exploitation is network-reachable, requires low privileges and user interaction, and can impact confidentiality, integrity, or availability within the security scope.
Defensive priority
Medium. This is not marked as KEV in the provided enrichment, but it is a browser-facing XSS issue with user interaction involved, so remediation should be prioritized for any internet-facing or broadly used deployment.
Recommended defensive actions
- Upgrade Open WebUI to version 0.6.31 or later.
- Review any features that render SVG or other user-supplied content and ensure untrusted content is treated as unsafe.
- If immediate upgrading is not possible, restrict access to affected instances and minimize exposure of SVG rendering paths.
- Validate that downstream portals, reverse proxies, or integrations do not reintroduce unsafe rendering of Open WebUI output.
- Confirm the deployment is no longer on a version earlier than 0.6.31 across all instances and environments.
Evidence notes
The CVE was published on 2026-05-15 and modified on 2026-05-18 per the supplied timeline. NVD identifies the issue as analyzed, maps it to CWE-80, and lists the affected Open WebUI CPE as vulnerable up to but not including 0.6.31. The GitHub security advisory is the vendor-linked remediation reference. No KEV entry or ransomware campaign association is provided in the supplied enrichment.
Official resources
-
CVE-2026-45346 CVE record
CVE.org
-
CVE-2026-45346 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
Publicly disclosed on 2026-05-15, with a later NVD modification on 2026-05-18. Treat the issue date as the CVE publication date, not the debrief generation date.