{"id":"GHSA-fq3v-xjjx-95rc","summary":"Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order","details":"## Vulnerability Details\n\n**CWE-79**: Cross-site Scripting (XSS)\n\nThe `AccountPending.svelte` component renders the admin-configured \"Pending User Overlay Content\" using `marked.parse()` inside `{@html}` with an incorrect DOMPurify application order:\n\n### Vulnerable Code\n\n**`src/lib/components/layout/Overlay/AccountPending.svelte` (lines 43-48)**:\n\n```svelte\n{@html marked.parse(\n    DOMPurify.sanitize(\n        ($config?.ui?.pending_user_overlay_content ?? '').replace(/\\n/g, '\u003cbr\u003e')\n    )\n)}\n```\n\nDOMPurify is applied to the raw Markdown input **before** `marked.parse()` processes it. This is the wrong order. DOMPurify sanitizes the Markdown text (which contains no HTML tags), then `marked.parse()` converts Markdown link syntax into HTML `\u003ca\u003e` tags with `javascript:` href, and the result is rendered with `{@html}` unsanitized.\n\nThe correct pattern (used elsewhere in the codebase, e.g., `NotebookView.svelte:77`) is:\n```javascript\nDOMPurify.sanitize(marked.parse(src))  // sanitize AFTER markdown parsing\n```\n\n## Steps to Reproduce\n\n### Prerequisites\n- Open WebUI v0.8.10\n- Admin account\n- A second user account with \"pending\" role\n\n### Steps\n\n1. Log in as admin and navigate to **Admin Settings** → **Settings** → **General**.\n\n2. Set **Default User Role** to `pending`.\n\n3. In the **Pending User Overlay Content** field, enter:\n```\n# Account Pending\n\nYour account is under review.\n\n[Contact Support](javascript:alert(document.domain))\n```\n\n4. Save the settings.\n\n5. In a separate browser (or incognito window), create a new account or log in as a pending user.\n\n6. The pending overlay is displayed. Click the \"Contact Support\" link.\n\n7. A JavaScript alert dialog appears showing `localhost` (the document domain), confirming XSS execution.\n\n### Verified Output\n\nThe `alert(document.domain)` executes successfully, displaying \"localhost\" in a JavaScript dialog box.\n\n## Impact\n\nAn admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This could be used to:\n\n- **Session hijacking**: Steal pending users' JWT tokens from cookies/localStorage\n- **Credential theft**: Replace the pending overlay with a fake login form\n- **Phishing**: Redirect pending users to malicious sites\n\nWhile this requires admin privileges to set the overlay content, it enables an admin to attack pending users (who have not yet been granted full access). In multi-admin deployments, a compromised admin account could use this to escalate attacks.\n\n## Proposed Fix\n\nApply DOMPurify **after** `marked.parse()`, not before:\n\n```svelte\n\u003c!-- Before (vulnerable): --\u003e\n{@html marked.parse(\n    DOMPurify.sanitize(\n        ($config?.ui?.pending_user_overlay_content ?? '').replace(/\\n/g, '\u003cbr\u003e')\n    )\n)}\n\n\u003c!-- After (fixed): --\u003e\n{@html DOMPurify.sanitize(\n    marked.parse(\n        ($config?.ui?.pending_user_overlay_content ?? '').replace(/\\n/g, '\u003cbr\u003e'),\n        { async: false }\n    )\n)}\n```\n\u003cimg width=\"1510\" height=\"1093\" alt=\"2026-03-23_03-07\" src=\"https://github.com/user-attachments/assets/bcc94dd6-4f06-472b-9979-9759458c76b3\" /\u003e","aliases":["CVE-2026-44568"],"modified":"2026-05-08T22:35:39.533113Z","published":"2026-05-08T22:21:33Z","database_specific":{"severity":"MODERATE","github_reviewed":true,"cwe_ids":["CWE-79"],"github_reviewed_at":"2026-05-08T22:21:33Z","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc"},{"type":"PACKAGE","url":"https://github.com/open-webui/open-webui"}],"affected":[{"package":{"name":"open-webui","ecosystem":"PyPI","purl":"pkg:pypi/open-webui"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.0"}]}],"versions":["0.1.124","0.1.125","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.3.0","0.3.1","0.3.10","0.3.12","0.3.13","0.3.14","0.3.15","0.3.16","0.3.17","0.3.17.dev2","0.3.17.dev3","0.3.17.dev4","0.3.17.dev5","0.3.18","0.3.19","0.3.2","0.3.20","0.3.21","0.3.22","0.3.23","0.3.24","0.3.25","0.3.26","0.3.27","0.3.27.dev1","0.3.27.dev2","0.3.27.dev3","0.3.28","0.3.29","0.3.3","0.3.30","0.3.30.dev1","0.3.30.dev2","0.3.31","0.3.31.dev1","0.3.32","0.3.33","0.3.33.dev1","0.3.34","0.3.35","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.0","0.4.0.dev1","0.4.0.dev2","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.6.dev1","0.4.7","0.4.8","0.5.0","0.5.0.dev1","0.5.0.dev2","0.5.1","0.5.10","0.5.11","0.5.12","0.5.13","0.5.14","0.5.15","0.5.16","0.5.17","0.5.18","0.5.19","0.5.2","0.5.20","0.5.3","0.5.3.dev1","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.5.9","0.6.0","0.6.1","0.6.10","0.6.11","0.6.12","0.6.13","0.6.14","0.6.15","0.6.16","0.6.18","0.6.19","0.6.2","0.6.20","0.6.21","0.6.22","0.6.23","0.6.24","0.6.25","0.6.26","0.6.26.dev1","0.6.27","0.6.28","0.6.29","0.6.3","0.6.30","0.6.31","0.6.32","0.6.33","0.6.34","0.6.35","0.6.36","0.6.37","0.6.38","0.6.39","0.6.4","0.6.40","0.6.41","0.6.42","0.6.43","0.6.5","0.6.6","0.6.6.dev1","0.6.7","0.6.8","0.6.9","0.7.0","0.7.1","0.7.2","0.8.0","0.8.1","0.8.10","0.8.11","0.8.12","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fq3v-xjjx-95rc/GHSA-fq3v-xjjx-95rc.json","last_known_affected_version_range":"\u003c= 0.8.12"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}]}