CVE Patch Review

CVE-2026-26193 Patch Review: Bandaid Fixes Unrelated Access-Control and Tooling Paths

CVE-2026-26193 · GHSA-VJM7-M4XH-7WRC · Updated 2026-07-07 Bandaid

Summary

The referenced commit does not show a targeted remediation for the reported stored XSS via iframe embeds in response messages. The visible changes primarily adjust model write-permission filtering, user schema permissiveness, localization strings, and tool server filter-list handling. Based on the provided patch snippets, there is no source-grounded evidence of iframe sandbox hardening, HTML sanitization, embed policy enforcement, or response-message rendering changes tied to the CVE description.

Analysis

Vulnerability

CVE-2026-26193 and the corresponding CVE record describe a stored XSS condition in Open WebUI where insecure iframe sandbox configuration in response messages allows a low-privileged user to execute script-capable content in shared chats and steal administrator session tokens. The reported weakness is therefore in the rendering and containment of embedded iframe content, not in model ACL filtering or tool-server configuration parsing.

For a complete fix, the expected patch surface would normally include one or more of: stricter iframe sandbox attributes, removal of dangerous sandbox capabilities, origin isolation, sanitization of persisted/rendered HTML, validation of embed sources, or response-message rendering changes in the frontend/backend path that stores or displays chat content.

Patch

The referenced code change is the Open WebUI commit 6f1486ffd0cb288d0e21f41845361924e0d742b3. However, the provided diff snippets do not show any modifications to iframe rendering, sandbox policy, message sanitization, or chat-response HTML handling.

Instead, the visible changes affect unrelated areas:

  • backend/open_webui/models/models.py: introduces _has_write_permission and OR-based filtering over group_ids and user_id.
  • backend/open_webui/routers/models.py: populates group_ids from user group membership.
  • backend/open_webui/routers/users.py: changes a Pydantic model to allow extra fields.
  • src/lib/components/AddToolServerModal.svelte and backend/open_webui/utils/middleware.py: normalize function_name_filter_list handling between string and list forms.
  • src/lib/i18n/locales/ca-ES/translation.json: localization updates only.
def _has_write_permission(self, query, filter: dict):
    if filter.get("group_ids") or filter.get("user_id"):
        conditions = []

        if filter.get("group_ids"):
            group_ids = filter["group_ids"]
            like_clauses = []

            for gid in group_ids:
                like_clauses.append(
                    cast(Model.access_control, String).like(
                        f'%"write"%"group_ids"%"{gid}"%'
                    )
                )

            conditions.append(or_(*like_clauses))

        if filter.get("user_id"):
            conditions.append(Model.user_id == filter["user_id"])

        query = query.filter(or_(*conditions))

    return query

This snippet is access-control logic for model write permissions. It is not an iframe/embed containment control and does not address stored XSS in response messages as described by the advisory sources.

Review

Pros

  • The commit appears to improve consistency in permission filtering by considering both ownership and group-based write access.
  • The tool-server filter-list changes reduce type ambiguity by accepting either a string or a list-like serialized source before splitting, which may prevent runtime errors in middleware paths.
  • The changes are small and localized, which lowers regression risk for the touched subsystems.

Cons

  • There is no visible remediation for the reported vulnerability class: no iframe sandbox tightening, no sanitization logic, no response-message rendering changes, and no embed allowlist enforcement.
  • The files touched in the provided snippets do not align with the CVE narrative of stored XSS via iframe embeds in shared chats.
  • Because the patch does not appear to modify the vulnerable rendering path, the exploit described by NVD remains unaddressed based on the available evidence.
  • One visible change in users.py loosens schema handling via extra="allow", which is orthogonal to the XSS issue and may expand accepted input surface rather than constrain it.
  • The access-control query uses string LIKE matching over serialized access-control data, which is brittle and unrelated to browser-side script execution controls.

Verdict

Bandaid.

Based strictly on the supplied commit snippets and the advisory text, this patch does not demonstrate a fix for the root cause of CVE-2026-26193. The reported issue is stored XSS through insecure iframe embed handling in response messages, but the visible changes target model-sharing permissions and tool configuration parsing instead. Unless additional, omitted hunks in the same commit modify the chat rendering or iframe sandbox path, the patch should not be accepted as a complete security remediation for this CVE.

Recommended follow-up is to inspect the actual response-message rendering components and any backend markdown/HTML transformation pipeline for explicit iframe restrictions, then verify the effective browser output. Engineers should look for changes that remove dangerous sandbox capabilities, sanitize persisted embed markup, or block untrusted iframe embeds entirely. The authoritative references for the issue context are the NVD entry, the CVE record, and the referenced Open WebUI commit.

Sources