Stored Cross-Site Scripting Vulnerability in Open WebUI by Open WebUI
CVE-2026-44721

7.3HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44721?

Open WebUI, a self-hosted AI platform operating entirely offline, faced a stored cross-site scripting vulnerability prior to version 0.9.0. This issue allows any authenticated user with model creation permissions to execute arbitrary JavaScript in the browser of any user, including administrators, who views the altered model in the chat interface. The flaw was effectively addressed in the release of version 0.9.0.

Affected Version(s)

open-webui < 0.9.0

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44721 Data

JSON

Open-webui

What is CVE-2026-44721?

Affected Version(s)

References

CVSS V3.1

Timeline