Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser. This vulnerability is fixed in 0.9.3.
Published: 2026-05-15
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI’s channel webhook creation and update endpoints accept arbitrary profile_image_url values, including data:image/svg+xml;base64 URLs that embed SVG content. The service decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker‑controlled script handlers such as onload to execute when the profile image URL is opened in the browser. This flaw, identified with CWE‑87, remained unpatched until version 0.9.3 and enables remote JavaScript execution in the victim’s context.

Affected Systems

All installations of Open WebUI earlier than version 0.9.3 are affected. The vulnerability exists in the open‑webui product when the webhook create or update flow processes a profile_image_url value.

Risk and Exploitability

The CVSS score of 7.4 indicates a high impact when exploited. The flaw is remotely exploitable via the public webhook endpoint, and the lack of a KEV status suggests it is not currently known to be exploited in the wild. The attack requires the attacker to craft a malicious webhook payload with a data:image/svg+xml base64 payload; when a user opens the offending image, the browser executes the injected script, potentially leading to session hijacking, data theft, or defacement.

Generated by OpenCVE AI on May 15, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open WebUI 0.9.3 or later to apply the vendor’s fix.
  • If an upgrade is not immediately feasible, modify the webhook validation logic to reject any profile_image_url that uses the data: scheme or includes SVG content, or explicitly whitelist only safe image protocols (e.g., http, https).
  • Where possible, sanitize or strip script handlers from SVG payloads before they are served to clients.

Generated by OpenCVE AI on May 15, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3856-3vxq-m6fc Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
History

Fri, 15 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser. This vulnerability is fixed in 0.9.3.
Title Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
Weaknesses CWE-87
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T21:31:24.526Z

Reserved: 2026-05-11T20:50:30.538Z

Link: CVE-2026-45314

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T22:16:54.110

Modified: 2026-05-15T22:16:54.110

Link: CVE-2026-45314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T00:00:12Z

Weaknesses