Skip to main content

Open WebUI CVE-2026-56398

| EUVDEUVD-2026-44628 HIGH
Improper Input Validation (CWE-20)
2026-07-15 VulnCheck GHSA-5p6h-xfw9-p64q
8.5
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Authenticated OAuth user needed (PR:L) and victim must open the image endpoint (UI:R); token theft yields account takeover (C:H/I:H), no availability impact and same-origin script keeps scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 13:03 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 12:29 vuln.today
Analysis Generated
Jul 15, 2026 - 12:29 vuln.today
CVE Published
Jul 15, 2026 - 11:25 cve.org
HIGH 8.5

DescriptionCVE.org

Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover.

AnalysisAI

Stored cross-site scripting in Open WebUI before 0.9.5 lets an attacker plant a malicious SVG as a victim's OAuth profile image and execute script in the application's origin. During OAuth login, the picture claim URL is fetched and its MIME type is guessed from the file extension rather than the response Content-Type, so a .svg URL is stored as a data:image/svg+xml;base64,... …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker controls IdP picture claim
Delivery
Point claim to attacker .svg URL
Exploit
Complete OAuth login to Open WebUI
Install
SVG stored as image/svg+xml data URI
C2
Victim opens profile image endpoint
Execute
Inline SVG script runs in same origin
Impact
Steal localStorage token, take over account

Vulnerability AssessmentAI

Exploitation Exploitation requires that Open WebUI be configured with OAuth/OIDC login and profile-image provisioning from the IdP `picture` claim, and that the attacker can make the `picture` claim resolve to an attacker-controlled URL whose path ends in `.svg` returning malicious SVG content (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N) scoring 8.5 is internally consistent with the description: network-reachable, low complexity, requires low privileges (an authenticated Open WebUI account able to complete OAuth), passive user interaction (the victim must navigate to the image endpoint), and high confidentiality/integrity impact via token theft and account takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with (or who can influence) an Open WebUI account logs in through an OAuth/OIDC provider whose `picture` claim points to an attacker-hosted URL ending in `.svg` that returns a malicious SVG containing `<script>` reading `localStorage.token`. Open WebUI stores it as an `image/svg+xml` data URI; when the victim (or the attacker viewing their own token via the same-origin document) navigates to `GET /api/v1/users/{id}/profile/image`, the SVG loads as a top-level document and its script runs in the app origin, exfiltrating the authentication token for account takeover. …
Remediation Vendor-released patch: 0.9.5 - upgrade Open WebUI to 0.9.5 or later, which routes OAuth-supplied profile images through proper validation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Open WebUI deployments and identify versions in use; implement compensating controls immediately, prioritizing restriction of profile image uploads and enforcing strict Content Security Policy headers to block inline script execution. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-7053 CRITICAL POC
9.0 Mar 20

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session

CVE-2024-8017 CRITICAL POC
9.0 Mar 20

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the

CVE-2024-7044 HIGH POC
8.9 Mar 20

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui

CVE-2024-7806 HIGH POC
8.8 Mar 20

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit

CVE-2024-6707 HIGH POC
8.8 Aug 07

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver

CVE-2025-65959 HIGH POC
8.7 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St

CVE-2025-65958 HIGH POC
8.5 Dec 04

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se

CVE-2024-7990 HIGH POC
8.4 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV

CVE-2024-8053 HIGH POC
8.2 Mar 20

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u

CVE-2024-7034 HIGH POC
7.2 Mar 20

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin

CVE-2024-7959 HIGH POC
7.7 Mar 20

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)

CVE-2024-12537 HIGH POC
7.5 Mar 20

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker

Share

CVE-2026-56398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy