GHSA-6GH2-Q7CP-9QF6
Vulnerability from github – Published: 2026-05-14 20:15 – Updated: 2026-05-19 15:57Summary
The profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:
-
data:text/html;base64,...in a new browser tab (raresvis, 2025-04-17) — when a victim right-clicks a user's profile picture and chooses "Open image in new tab", the browser navigates to the data: URL and executes embedded scripts in thedata:origin. Limited to social-engineering / redirect attacks because the script does not run in the application origin. -
data:image/svg+xml;base64,...re-served by the application origin (Gh05t666nero, 2026-01-09) —GET /api/v1/users/{user_id}/profile/imagedecoded the base64 and returnedStreamingResponse(media_type=<user-controlled>)extracted from thedata:header. Withmedia_type=image/svg+xmlandContent-Disposition: inline, the SVG-embedded scripts executed in the application origin, enabling JWT theft fromlocalStorageand full account takeover of any user — including admins — who loaded the malicious profile image URL.
Both attack paths share the same root cause (lack of MIME-type validation on profile_image_url) and are closed by the same fix.
Vulnerable code (v0.7.0)
backend/open_webui/routers/users.py get_user_profile_image_by_id():
elif user.profile_image_url.startswith("data:image"):
header, base64_data = user.profile_image_url.split(",", 1)
image_data = base64.b64decode(base64_data)
image_buffer = io.BytesIO(image_data)
media_type = header.split(";")[0].lstrip("data:") # user-controlled
return StreamingResponse(
image_buffer,
media_type=media_type,
headers={"Content-Disposition": "inline"},
)
Fix
Commit 773787c74 (2026-02-11), first contained in tag v0.8.0, applies the validate_profile_image_url field validator to every form that accepts profile_image_url (UserModel, UpdateProfileForm, SignupForm in backend/open_webui/models/users.py and backend/open_webui/models/auths.py). The validator explicitly rejects data:image/svg+xml and any non-image data URI, allowing only data:image/{png,jpeg,gif,webp};base64 plus known internal paths and http(s):// URLs. This blocks both attack vectors at form submission time, so a malicious URL can no longer be persisted to the database.
Credits
- raresvis — discovered the
data:text/html-via-new-tab path - Gh05t666nero — discovered the
data:image/svg+xml-via-server-side path (the more severe origin-XSS vector that determined the consolidated CVSS)
Per our Report Handling policy, the cluster is consolidated into the earliest filing with credit to every reporter who demonstrated a distinct exploitation path.
Affected / patched versions
- Affected:
< 0.8.0 - Patched:
>= 0.8.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45299"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:15:19Z",
"nvd_published_at": "2026-05-15T22:16:53Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `profile_image_url` field on the user profile update form accepted arbitrary `data:` URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:\n\n1. **`data:text/html;base64,...` in a new browser tab** (raresvis, 2025-04-17) \u2014 when a victim right-clicks a user\u0027s profile picture and chooses \"Open image in new tab\", the browser navigates to the data: URL and executes embedded scripts in the `data:` origin. Limited to social-engineering / redirect attacks because the script does not run in the application origin.\n\n2. **`data:image/svg+xml;base64,...` re-served by the application origin** (Gh05t666nero, 2026-01-09) \u2014 `GET /api/v1/users/{user_id}/profile/image` decoded the base64 and returned `StreamingResponse(media_type=\u003cuser-controlled\u003e)` extracted from the `data:` header. With `media_type=image/svg+xml` and `Content-Disposition: inline`, the SVG-embedded scripts executed in the **application origin**, enabling JWT theft from `localStorage` and full account takeover of any user \u2014 including admins \u2014 who loaded the malicious profile image URL.\n\nBoth attack paths share the same root cause (lack of MIME-type validation on `profile_image_url`) and are closed by the same fix.\n\n## Vulnerable code (v0.7.0)\n\n`backend/open_webui/routers/users.py` `get_user_profile_image_by_id()`:\n\n```python\nelif user.profile_image_url.startswith(\"data:image\"):\n header, base64_data = user.profile_image_url.split(\",\", 1)\n image_data = base64.b64decode(base64_data)\n image_buffer = io.BytesIO(image_data)\n media_type = header.split(\";\")[0].lstrip(\"data:\") # user-controlled\n return StreamingResponse(\n image_buffer,\n media_type=media_type,\n headers={\"Content-Disposition\": \"inline\"},\n )\n```\n\n## Fix\n\nCommit `773787c74` (2026-02-11), first contained in tag **v0.8.0**, applies the `validate_profile_image_url` field validator to every form that accepts `profile_image_url` (`UserModel`, `UpdateProfileForm`, `SignupForm` in `backend/open_webui/models/users.py` and `backend/open_webui/models/auths.py`). The validator explicitly rejects `data:image/svg+xml` and any non-image data URI, allowing only `data:image/{png,jpeg,gif,webp};base64` plus known internal paths and `http(s)://` URLs. This blocks both attack vectors at form submission time, so a malicious URL can no longer be persisted to the database.\n\n## Credits\n\n- **raresvis** \u2014 discovered the `data:text/html`-via-new-tab path\n- **Gh05t666nero** \u2014 discovered the `data:image/svg+xml`-via-server-side path (the more severe origin-XSS vector that determined the consolidated CVSS)\n\nPer our Report Handling policy, the cluster is consolidated into the earliest filing with credit to every reporter who demonstrated a distinct exploitation path.\n\n## Affected / patched versions\n\n- Affected: `\u003c 0.8.0`\n- Patched: `\u003e= 0.8.0`",
"id": "GHSA-6gh2-q7cp-9qf6",
"modified": "2026-05-19T15:57:56Z",
"published": "2026-05-14T20:15:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-6gh2-q7cp-9qf6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45299"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI has Stored Cross-Site Scripting In Profile Picture"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.