Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3.
Published: 2026-05-15
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI’s image uploading feature suffered an application‑wide CSRF vulnerability before version 0.9.3. An attacker can set an image URL to a malicious endpoint, allowing any authenticated user to perform actions on behalf of a victim when the image is loaded, and any user who views that image will unknowingly send a GET request to the attacker‑controlled URL. This flaw can lead to cookie theft, denial of service, or other malicious actions on the victim’s account. The weakness involves improper input validation and failure to require a CSRF token, identified as CWE‑20 and CWE‑352. This vulnerability was fixed in 0.9.3.

Affected Systems

Affected systems include the open‑webui application before version 0.9.3

Risk and Exploitability

The CVSS base score is 4.6, indicating a moderate impact. EPSS is not available, and the vulnerability is not listed in KEV. Because any authenticated user can supply an image URL and any viewer of that image triggers a GET request to the attacker‑controlled endpoint, the attack surface is wide. The primary attack vector is remote via the web interface, requiring only that the target user is authenticated and views the malicious image. The vulnerability is exploitable without privileges beyond those held by a regular user.

Generated by OpenCVE AI on May 15, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to open‑webui version 0.9.3 or later.
  • If upgrading is not possible, disable external image URL uploads to prevent malicious URLs from being stored.
  • Monitor user activity for unexpected external image requests and enforce strict source verification.

Generated by OpenCVE AI on May 15, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j6w6-986j-2m2m Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation
History

Sat, 16 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3.
Title Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation
Weaknesses CWE-20
CWE-352
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T21:29:44.870Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45317

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T22:16:54.520

Modified: 2026-05-15T22:16:54.520

Link: CVE-2026-45317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T00:30:11Z

Weaknesses