Open WebUI is a self‑hosted artificial intelligence platform that operates entirely offline. Before version 0.9.6 the developers patched SVG‑based XSS in user‑profile and webhook images, but neglected to apply the same fix to model‑profile images. In those earlier releases the ModelMeta class lacks a validate_profile_image_url field validator, and the model image‑serving endpoint is missing a MIME type allowlist and a nosniff header. Consequently any authenticated user with the default workspace.models permission—enabled by default—can store a data:image/svg+xml;base64 payload as a model’s profile picture. When any user navigates to the image URL the embedded script executes in their browser, enabling full account takeover. This flaw maps to CWE‑79 (stored XSS), CWE‑116 (inconsistent file handling), and CWE‑693 (missing security headers). The issue was fixed in 0.9.6.

The vulnerability affects the open‑webui:open‑webui platform in all releases prior to version 0.9.6. Deployments that have not applied the patch that adds a validator to ModelMeta and a MIME allowlist to the image serving endpoint, and where the default workspace.models permission remains enabled, are vulnerable.

The CVSS score of 7.6 indicates high severity. The EPSS score is not available, and the flaw is not listed in CISA KEV. The attack requires an authenticated account with model creation privileges; the attacker can then upload a crafted SVG and any other user who visits the image URL will experience account takeover. The risk is confined to environments that expose the model image URL to internal users or the public internet, but the lack of a nosniff header and MIME allowlist eliminates defensive barriers.