Skip to main content

Open WebUI CVE-2026-45299

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 https://github.com/open-webui/open-webui GHSA-6gh2-q7cp-9qf6
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:19 vuln.today
Analysis Generated
May 14, 2026 - 21:19 vuln.today
CVE Published
May 14, 2026 - 20:15 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Summary

The profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:

  1. data:text/html;base64,... in a new browser tab (raresvis, 2025-04-17) - when a victim right-clicks a user's profile picture and chooses "Open image in new tab", the browser navigates to the data: URL and executes embedded scripts in the data: origin. Limited to social-engineering / redirect attacks because the script does not run in the application origin.
  2. data:image/svg+xml;base64,... re-served by the application origin (Gh05t666nero, 2026-01-09) - GET /api/v1/users/{user_id}/profile/image decoded the base64 and returned StreamingResponse(media_type=<user-controlled>) extracted from the data: header. With media_type=image/svg+xml and Content-Disposition: inline, the SVG-embedded scripts executed in the application origin, enabling JWT theft from localStorage and full account takeover of any user - including admins - who loaded the malicious profile image URL.

Both attack paths share the same root cause (lack of MIME-type validation on profile_image_url) and are closed by the same fix.

Vulnerable code (v0.7.0)

backend/open_webui/routers/users.py get_user_profile_image_by_id():

python
elif user.profile_image_url.startswith("data:image"):
    header, base64_data = user.profile_image_url.split(",", 1)
    image_data = base64.b64decode(base64_data)
    image_buffer = io.BytesIO(image_data)
    media_type = header.split(";")[0].lstrip("data:")
# user-controlled
    return StreamingResponse(
        image_buffer,
        media_type=media_type,
        headers={"Content-Disposition": "inline"},
    )

Fix

Commit 773787c74 (2026-02-11), first contained in tag v0.8.0, applies the validate_profile_image_url field validator to every form that accepts profile_image_url (UserModel, UpdateProfileForm, SignupForm in backend/open_webui/models/users.py and backend/open_webui/models/auths.py). The validator explicitly rejects data:image/svg+xml and any non-image data URI, allowing only data:image/{png,jpeg,gif,webp};base64 plus known internal paths and http(s):// URLs. This blocks both attack vectors at form submission time, so a malicious URL can no longer be persisted to the database.

Credits

  • raresvis - discovered the data:text/html-via-new-tab path
  • Gh05t666nero - discovered the data:image/svg+xml-via-server-side path (the more severe origin-XSS vector that determined the consolidated CVSS)

Per our Report Handling policy, the cluster is consolidated into the earliest filing with credit to every reporter who demonstrated a distinct exploitation path.

Affected / patched versions

  • Affected: < 0.8.0
  • Patched: >= 0.8.0

AnalysisAI

Stored cross-site scripting in Open WebUI versions before 0.8.0 allows authenticated users to inject malicious data URIs into the profile_image_url field, enabling JavaScript execution in the application origin. The most critical attack path involves uploading a base64-encoded SVG data URI that, when loaded via the /api/v1/users/{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).

Technical ContextAI

The vulnerability exists in the profile image serving endpoint (backend/open_webui/routers/users.py, get_user_profile_image_by_id()) which accepts data URI schemes without validating the MIME type. When a user profile_image_url field contains a data: URI, the application extracts the media_type from the URI header and passes it directly to StreamingResponse() with Content-Disposition: inline, allowing arbitrary content types. SVG data URIs with embedded scripts execute JavaScript in the application origin where localStorage (containing JWT tokens) is accessible. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation-Cross-site Scripting). The vulnerability affects the CPE pkg:pip/open-webui and is present in all versions prior to 0.8.0. The fix (commit 773787c74) implements strict MIME-type validation at form submission time via the validate_profile_image_url field validator, restricting data URIs to only safe image formats (png, jpeg, gif, webp) and blocking svg and html entirely.

RemediationAI

Upgrade immediately to Open WebUI version 0.8.0 or later (https://github.com/open-webui/open-webui/releases/tag/v0.8.0). This release includes commit 773787c74 which applies strict MIME-type validation to the profile_image_url field across all forms (UserModel, UpdateProfileForm, SignupForm). Important: v0.8.0 includes database schema migrations that require downtime and simultaneous updates across all instances in multi-server deployments; rolling updates are not supported. Back up your database before upgrading. The migration on the chat_message table may take significant time in large deployments with extensive chat histories. For users unable to upgrade immediately, the vulnerability can only be exploited by authenticated users with the ability to set their own profile_image_url; restrict account creation (disable open registration) or monitor profile_image_url submissions for data: URI schemes and reject them at the application layer or WAF level.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-45299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy