CVE-2025-46719
📋 TL;DR
Open WebUI versions before 0.6.6 contain a stored cross-site scripting (XSS) vulnerability where attackers can inject JavaScript into chat messages. When users view these malicious chat transcripts, the JavaScript executes in their browser, potentially stealing access tokens and enabling account takeover. This affects all Open WebUI instances with vulnerable versions, especially those with community sharing enabled.
💻 Affected Systems
- Open WebUI
📦 What is this software?
Open Webui by Openwebui
⚠️ Risk & Real-World Impact
Worst Case
Attackers achieve remote code execution on the server by compromising admin accounts, create malicious functions with Python code, and potentially take full control of the Open WebUI backend.
Likely Case
Attackers steal user access tokens through XSS, compromise user accounts, and access sensitive chat data and AI interactions.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized, preventing token theft and account compromise.
🎯 Exploit Status
Exploitation requires ability to create or modify chat messages, but once injected, XSS triggers automatically when victims view transcripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.6
Vendor Advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-9f4f-jv96-8766
Restart Required: Yes
Instructions:
1. Backup your Open WebUI configuration and data. 2. Update to version 0.6.6 or later using your package manager or deployment method. 3. Restart the Open WebUI service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Community Sharing
allPrevents wormable XSS propagation through openwebui.com by disabling the community sharing feature.
Set 'Enable Community Sharing' to disabled in admin panel
Restrict Chat Sharing
allLimit chat transcript sharing to trusted users only to reduce attack surface.
Configure sharing permissions to restrict access
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
- Deploy a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check if Open WebUI version is below 0.6.6 in the web interface or configuration files.Check Version:
Check web interface settings or run 'docker inspect open-webui' if using DockerVerify Fix Applied:
Confirm version is 0.6.6 or higher and test that HTML tags in chat messages are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual chat message patterns with script tags
- Multiple failed login attempts from new locations after viewing shared chats
Network Indicators:
- Outbound connections to suspicious domains after viewing chat transcripts
- Unusual API calls to token endpoints
SIEM Query:
source="openwebui" AND (message="*<script>*" OR message="*javascript:*")🔗 References
- https://github.com/open-webui/open-webui/blob/main/src/lib/components/chat/Messages/Markdown/MarkdownTokens.svelte#L269-L279
- https://github.com/open-webui/open-webui/commit/6fd082d55ffaf6eb226efdeebc7155e3693d2d01
- https://github.com/open-webui/open-webui/security/advisories/GHSA-9f4f-jv96-8766
- https://github.com/open-webui/open-webui/security/advisories/GHSA-9f4f-jv96-8766
