CVE-2025-46571 is a medium-severity cross-site scripting (XSS) vulnerability affecting versions of the open-webui platform prior to 0.6.6. Open WebUI is a self-hosted AI platform designed to operate offline, allowing users to upload and manage files through a backend API endpoint (/api/v1/files/). The vulnerability arises because low-privileged users can upload HTML files containing malicious JavaScript code via this endpoint. When the file is accessed in a browser, the embedded JavaScript executes in the context of the viewer's session. By default, these uploaded files are only viewable by the uploader or administrators, which limits the exposure. However, an attacker with low privileges can craft a malicious HTML file and send its link to an administrator. If the admin clicks the link, the malicious script executes with the admin's privileges, enabling the attacker to hijack the admin account. This can escalate to remote code execution (RCE) through functions accessible to the compromised admin account. The vulnerability is due to improper input neutralization during web page generation (CWE-79), allowing script injection. The issue was fixed in version 0.6.6 of open-webui. The CVSS 4.0 score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges required for the initial upload, but user interaction is needed (admin clicking the link). The scope and impact are high since the attacker can escalate privileges and potentially execute arbitrary code on the server via the admin account. No known exploits are currently reported in the wild.

For European organizations using open-webui versions prior to 0.6.6, this vulnerability poses a significant risk, especially in environments where multiple users have access to upload files and administrators regularly interact with user-generated content. Successful exploitation could lead to full compromise of administrative accounts, enabling attackers to manipulate AI workflows, access sensitive data, or execute arbitrary code on the hosting infrastructure. This could disrupt AI-driven business processes, lead to data breaches, and damage organizational reputation. The offline design of open-webui does not eliminate risk since internal threat actors or compromised low-privileged accounts can exploit this vulnerability. Given the potential for privilege escalation and RCE, organizations handling sensitive AI models or data could face severe operational and compliance consequences under European data protection regulations such as GDPR.

1. Immediate upgrade to open-webui version 0.6.6 or later, which contains the patch for this vulnerability. 2. Implement strict file upload validation and sanitization on the server side to reject or neutralize HTML files containing scripts. 3. Restrict file upload permissions to trusted users only, minimizing the number of low-privileged users who can upload files. 4. Educate administrators to avoid clicking on untrusted or unexpected links, especially those pointing to user-uploaded files. 5. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce XSS impact. 6. Monitor logs for unusual file uploads and access patterns to detect potential exploitation attempts. 7. Consider isolating the open-webui environment or running it with minimal privileges to limit the impact of a successful attack. 8. Regularly audit user roles and permissions to ensure least privilege principles are enforced.