Critical Open WebUI Vulnerability Lets Attackers Achieve RCE via File Upload
Key Takeaways A critical, unpatched vulnerability in Open WebUI allows for one-click Remote Code Execution (RCE) or account takeover. The flaw, tracked as a Stored Cross-Site Scripting (XSS), resides...
Key Takeaways
- A critical, unpatched vulnerability in Open WebUI allows for one-click Remote Code Execution (RCE) or account takeover.
- The flaw, tracked as a Stored Cross-Site Scripting (XSS), resides in the platform’s profile image upload functionality.
- Attackers can exploit this by uploading a malicious SVG file containing a JavaScript payload.
- All versions of Open WebUI up to and including 0.7.2 are affected.
- No official patch is available, and a Proof of Concept (PoC) exploit has been publicly disclosed.
Unpatched Open WebUI Flaw Enables One-Click RCE and Account Takeover
A severe security vulnerability in the Open WebUI platform, currently without an official patch, exposes users to one-click remote code execution (RCE) or complete account hijacking. This critical flaw allows attackers to compromise AI workspaces, potentially leading to the theft of sensitive chat histories and unauthorized access.
Table Of Content
Security researcher Metin Yunus Kandemir identified the vulnerability, which stems from a Stored Cross-Site Scripting (XSS) defect within Open WebUI’s profile picture upload mechanism. The researcher’s attempts to responsibly disclose the issue were reportedly dismissed by the developers, leading to the public release of exploit code, leaving users exposed to potential attacks.
Technical Details of the Vulnerability
The core of the vulnerability lies in the way Open WebUI processes uploaded user profile images. Specifically, the /backend/open_webui/routers/users.py file, responsible for handling image data, lacks adequate restrictions on the types of media files users can upload. Instead of enforcing standard image formats like JPEG or PNG, the system permits the upload of malicious SVG files.
These specially crafted SVG files can contain Base64-encoded JavaScript payloads. Critically, the application employs an “inline” content disposition for these files. This configuration prevents the browser from downloading the SVG file as a separate entity. Instead, when a victim navigates to the link of a malicious profile image, their web browser immediately executes the embedded JavaScript, triggering the attack.
Impact Based on User Privileges
The severity of an attack leveraging this vulnerability varies significantly depending on the victim’s role and permissions within the Open WebUI environment:
- Administrators: If an administrator or a user with workspace management privileges clicks on a link to a malicious image, the attacker achieves one-click Remote Code Execution (RCE). The embedded JavaScript silently leverages the application’s API to create a rogue tool, establishing a persistent backdoor into the system.
- Standard Users: For regular users, clicking the malicious link results in an Account Takeover (ATO). The script covertly extracts the user’s authentication tokens from their browser storage and exfiltrates their entire chat history to an external server.
The attack requires no further authentication if the victim is already logged into Open WebUI, executing instantly in the background.
Disclosure Timeline and Current Status
This zero-day vulnerability affects Open WebUI versions up to and including 0.7.2. Metin Yunus Kandemir initially reported the issue to the vendor on March 10, 2026. However, on May 6, 2026, the Open WebUI team closed the report, citing it as a duplicate and referencing an unspecified security advisory. They informed the researcher, identified as UseHacker, that the vulnerability report would not receive official recognition.
According to UseHacker, Kandemir publicly released the full Proof of Concept (PoC) for the exploit on May 8, 2026, believing the vendor’s response constituted a breach of responsible disclosure protocols. As of now, no official patch has been released, leaving organizations utilizing Open WebUI to implement manual mitigations.
What You Should Do
Given the absence of an official patch, organizations and individual users of Open WebUI must take immediate action to protect their environments:
- Restrict File Types: Administrators should modify the backend code to enforce a strict allowlist for the
media_typevariable. Only secure image formats such asimage/png,image/jpeg,image/gif, andimage/webpshould be permitted. It is crucial to explicitly blockimage/svg+xml. - Exercise Caution with Links: Until an official patch is deployed, users must remain extremely vigilant. Avoid clicking on any unexpected or suspicious links that redirect to the Open WebUI application, particularly URLs containing segments like
/profile/imageor/auth?redirect=.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.