Open WebUI CVE-2026-45299
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:
data:text/html;base64,...in a new browser tab (raresvis, 2025-04-17) - when a victim right-clicks a user's profile picture and chooses "Open image in new tab", the browser navigates to the data: URL and executes embedded scripts in thedata:origin. Limited to social-engineering / redirect attacks because the script does not run in the application origin.data:image/svg+xml;base64,...re-served by the application origin (Gh05t666nero, 2026-01-09) -GET /api/v1/users/{user_id}/profile/imagedecoded the base64 and returnedStreamingResponse(media_type=<user-controlled>)extracted from thedata:header. Withmedia_type=image/svg+xmlandContent-Disposition: inline, the SVG-embedded scripts executed in the application origin, enabling JWT theft fromlocalStorageand full account takeover of any user - including admins - who loaded the malicious profile image URL.
Both attack paths share the same root cause (lack of MIME-type validation on profile_image_url) and are closed by the same fix.
Vulnerable code (v0.7.0)
backend/open_webui/routers/users.py get_user_profile_image_by_id():
elif user.profile_image_url.startswith("data:image"):
header, base64_data = user.profile_image_url.split(",", 1)
image_data = base64.b64decode(base64_data)
image_buffer = io.BytesIO(image_data)
media_type = header.split(";")[0].lstrip("data:")
# user-controlled
return StreamingResponse(
image_buffer,
media_type=media_type,
headers={"Content-Disposition": "inline"},
)Fix
Commit 773787c74 (2026-02-11), first contained in tag v0.8.0, applies the validate_profile_image_url field validator to every form that accepts profile_image_url (UserModel, UpdateProfileForm, SignupForm in backend/open_webui/models/users.py and backend/open_webui/models/auths.py). The validator explicitly rejects data:image/svg+xml and any non-image data URI, allowing only data:image/{png,jpeg,gif,webp};base64 plus known internal paths and http(s):// URLs. This blocks both attack vectors at form submission time, so a malicious URL can no longer be persisted to the database.
Credits
- raresvis - discovered the
data:text/html-via-new-tab path - Gh05t666nero - discovered the
data:image/svg+xml-via-server-side path (the more severe origin-XSS vector that determined the consolidated CVSS)
Per our Report Handling policy, the cluster is consolidated into the earliest filing with credit to every reporter who demonstrated a distinct exploitation path.
Affected / patched versions
- Affected:
< 0.8.0 - Patched:
>= 0.8.0
AnalysisAI
Stored cross-site scripting in Open WebUI versions before 0.8.0 allows authenticated users to inject malicious data URIs into the profile_image_url field, enabling JavaScript execution in the application origin. The most critical attack path involves uploading a base64-encoded SVG data URI that, when loaded via the /api/v1/users/{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).
Technical ContextAI
The vulnerability exists in the profile image serving endpoint (backend/open_webui/routers/users.py, get_user_profile_image_by_id()) which accepts data URI schemes without validating the MIME type. When a user profile_image_url field contains a data: URI, the application extracts the media_type from the URI header and passes it directly to StreamingResponse() with Content-Disposition: inline, allowing arbitrary content types. SVG data URIs with embedded scripts execute JavaScript in the application origin where localStorage (containing JWT tokens) is accessible. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation-Cross-site Scripting). The vulnerability affects the CPE pkg:pip/open-webui and is present in all versions prior to 0.8.0. The fix (commit 773787c74) implements strict MIME-type validation at form submission time via the validate_profile_image_url field validator, restricting data URIs to only safe image formats (png, jpeg, gif, webp) and blocking svg and html entirely.
RemediationAI
Upgrade immediately to Open WebUI version 0.8.0 or later (https://github.com/open-webui/open-webui/releases/tag/v0.8.0). This release includes commit 773787c74 which applies strict MIME-type validation to the profile_image_url field across all forms (UserModel, UpdateProfileForm, SignupForm). Important: v0.8.0 includes database schema migrations that require downtime and simultaneous updates across all instances in multi-server deployments; rolling updates are not supported. Back up your database before upgrading. The migration on the chat_message table may take significant time in large deployments with extensive chat histories. For users unable to upgrade immediately, the vulnerability can only be exploited by authenticated users with the ability to set their own profile_image_url; restrict account creation (disable open registration) or monitor profile_image_url submissions for data: URI schemes and reject them at the application layer or WAF level.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6gh2-q7cp-9qf6