CVE-2026-45299

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0

Description The profile image url field on the user profile update form accepts arbitrary data: URI values without MIME-type validation, leading to Cross-Site Scripting (XSS). This occurs because the application fails to validate the media type of the provided URI. One attack vector involves using data:text/html;base64,..., which executes scripts when a user opens the image in a new browser tab. A more severe vector utilizes data:image/svg+xml;base64,... via the 'GET /api/v1/users/{user id}/profile/image' endpoint. In this case, the get user profile image by id() function returns a response with a user-controlled media type, allowing SVG-embedded scripts to execute within the application origin. This can enable the theft of JSON Web Tokens (JWT) from localStorage and result in full account takeover of any user, including administrators.

Recommendations Update to version 0.8.0 or later.