SCA: security update for open-webui (GHSA-vjm7-m4xh-7wrc)

medium Tenable Cloud Security Plugin ID 444482

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior
to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response
message, the content of which is loaded into an iFrame with a sandbox that has `allow-scripts` and `allow-
same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS
on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable
link containing the payload that can be distributed to any other users on the instance. Version 0.6.44
fixes the issue. (CVE-2026-26193)

Solution

Update the open-webui library and its related packages to version 0.6.44 or later.

See Also

https://github.com/advisories/GHSA-vjm7-m4xh-7wrc

Plugin Details

Severity: Medium

ID: 444482

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/7/2026

Updated: 7/7/2026

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.05

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-26193

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/7/2026

Vulnerability Publication Date: 2/19/2026

Reference Information

CVE: CVE-2026-26193

cwe: CWE-79