github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #18387] issue: Stored XSS in Artifact Rendering #18581

New Issue
Closed
opened 2026-04-20 00:47:58 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-20 00:47:58 -05:00
Owner
Copy Link

Originally created by @xqrt on GitHub (Oct 17, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/18387

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

all

Ollama Version (if applicable)

No response

Operating System

n/a

Browser (if applicable)

all

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Summary

Submitting custom Python code through the code interpreter text box enables malicious HTML rendering in the Artifact section, creating a stored XSS vulnerability.

Details

  1. Finding/steps
    Payload Delivery: An attacker embeds an XSS payload into Python code and saves it as an artifact.
    Chat Sharing: The attacker shares the chat link containing the payload with victims.
    Triggering the Payload: Victims must clone the chat to expose the Artifact section. Upon viewing the artifact, the payload executes automatically.

  2. Risk
    Session Hijacking: Steals session cookies/tokens, enabling account impersonation.
    Privilege Escalation: Compromising admin accounts could allow attackers to:
    - Modify frontend/backend configurations in Open WebUI.
    - Deploy additional malicious scripts or exfiltrate sensitive data.
    - Escalate attacks to internal systems depending on admin permissions. (configuration dependent)

  3. Recommendations

  • Sanitize all user-generated content in artifacts.
  • Restrict HTML rendering privileges in non-trusted sections.
  • Implement context-aware output encoding for stored data.

PoC

Input the given python code into the prompt and wait for the model to rewrite it. In the rewritten code section click Save and go to the (...) on the top right and click Artifact. When the side panel opens the XSS poc gets triggered.

used python prompt.

# Begin HTML response
print("<html>")
print("<head>")
print("<title>CSRF Command Runner</title>")
print("</head>")
print("<body>")
print("<h1>Execute Shell Commands Safely</h1>")
print("<form method='get' action='shell.py'>")
print("<label for='command'>Enter Command:</label><br>")
print("<input type='text' id='command' name='command' /><br>")
print("<input type='submit' value='Submit' />")
print("<script>window.top.alert(document.cookie)</script>")  # Properly closed iframe tag
print("</form>")
print("<p>Note: This form is vulnerable to CSRF attacks. Consider implementing CSRF protection.</p>")
print("</body>")
print("</html>")

xss_pop
xss1
xss3

POC is from a local deployment, but it was verified with other models on a Kubernetes deployment.

Impact

This allowed to execute malicious JavaScript and steal sessions cookies from victims, essentially leading to vertical and horizontal privilege escalation attacks.

Actual Behavior

No response since April so disclosing this.

Steps to Reproduce

  1. Payload Delivery: An attacker embeds an XSS payload into Python code and saves it as an artifact.

  2. Chat Sharing: The attacker shares the chat link containing the payload with victims.

  3. Triggering the Payload: Victims must clone the chat to expose the Artifact section. Upon viewing the artifact, the payload executes automatically.

Logs & Screenshots

Image

Additional Information

No response

Originally created by @xqrt on GitHub (Oct 17, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/18387 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version all ### Ollama Version (if applicable) _No response_ ### Operating System n/a ### Browser (if applicable) all ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior ### Summary Submitting custom Python code through the code interpreter text box enables malicious HTML rendering in the Artifact section, creating a stored XSS vulnerability. ### Details 1. Finding/steps Payload Delivery: An attacker embeds an XSS payload into Python code and saves it as an artifact. Chat Sharing: The attacker shares the chat link containing the payload with victims. Triggering the Payload: Victims must clone the chat to expose the Artifact section. Upon viewing the artifact, the payload executes automatically. 2. Risk Session Hijacking: Steals session cookies/tokens, enabling account impersonation. Privilege Escalation: Compromising admin accounts could allow attackers to: - Modify frontend/backend configurations in Open WebUI. - Deploy additional malicious scripts or exfiltrate sensitive data. - Escalate attacks to internal systems depending on admin permissions. (configuration dependent) 3. Recommendations - Sanitize all user-generated content in artifacts. - Restrict HTML rendering privileges in non-trusted sections. - Implement context-aware output encoding for stored data. ### PoC Input the given python code into the prompt and wait for the model to rewrite it. In the rewritten code section click Save and go to the (...) on the top right and click Artifact. When the side panel opens the XSS poc gets triggered. used python prompt. ``` # Begin HTML response print("<html>") print("<head>") print("<title>CSRF Command Runner</title>") print("</head>") print("<body>") print("<h1>Execute Shell Commands Safely</h1>") print("<form method='get' action='shell.py'>") print("<label for='command'>Enter Command:</label><br>") print("<input type='text' id='command' name='command' /><br>") print("<input type='submit' value='Submit' />") print("<script>window.top.alert(document.cookie)</script>") # Properly closed iframe tag print("</form>") print("<p>Note: This form is vulnerable to CSRF attacks. Consider implementing CSRF protection.</p>") print("</body>") print("</html>") ``` ![xss_pop](https://github.com/user-attachments/assets/84122698-3398-4487-995d-3096118381ad) ![xss1](https://github.com/user-attachments/assets/55702a6e-25f9-4328-844d-1f1334176bd4) ![xss3](https://github.com/user-attachments/assets/9c6fcc7d-4511-4e72-bdd8-bb731805e864) POC is from a local deployment, but it was verified with other models on a Kubernetes deployment. ### Impact This allowed to execute malicious JavaScript and steal sessions cookies from victims, essentially leading to vertical and horizontal privilege escalation attacks. ### Actual Behavior No response since April so disclosing this. ### Steps to Reproduce 1. Payload Delivery: An attacker embeds an XSS payload into Python code and saves it as an artifact. 2. Chat Sharing: The attacker shares the chat link containing the payload with victims. 3. Triggering the Payload: Victims must clone the chat to expose the Artifact section. Upon viewing the artifact, the payload executes automatically. ### Logs & Screenshots <img width="1920" height="1023" alt="Image" src="https://github.com/user-attachments/assets/4f638fa3-aaa2-482d-b572-f09478b373bf" /> ### Additional Information _No response_
GiteaMirror added the bug label 2026-04-20 00:47:58 -05:00
GiteaMirror commented 2026-04-20 00:47:59 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Oct 17, 2025):

You should report vulnerabilities as described in the SECURITY.md file, not as an issue.

https://github.com/open-webui/open-webui/security

And second: bascially this exact issue is known already and has been reported before in these reports:

<!-- gh-comment-id:3414503274 --> @Classic298 commented on GitHub (Oct 17, 2025): You should report vulnerabilities as described in the SECURITY.md file, not as an issue. https://github.com/open-webui/open-webui/security And second: bascially this exact issue is known already and has been reported before in these reports: - https://github.com/open-webui/open-webui/security/advisories/GHSA-8gh5-qqh8-hq3x - https://github.com/open-webui/open-webui/security/advisories/GHSA-9f4f-jv96-8766 <- especially this one is basically exactly the same or extremely similar
GiteaMirror commented 2026-04-20 00:48:00 -05:00
Author
Owner
Copy Link

@xqrt commented on GitHub (Oct 17, 2025):

it is but 6months no response

<!-- gh-comment-id:3414573381 --> @xqrt commented on GitHub (Oct 17, 2025): it is but 6months no response
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#18581
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?