A significant security vulnerability in Open WebUI remains unpatched, posing a serious threat to AI workspaces. This flaw enables attackers to execute remote code, potentially hijacking accounts and accessing sensitive chat histories with just a single click.
Discovery of the Vulnerability
Security researcher Metin Yunus Kandemir identified the flaw, which is rooted in a Stored Cross-Site Scripting (XSS) issue within the platform’s profile image upload feature. Despite the findings, developers have not acknowledged the vulnerability, leading to the exploit code being made public.
The vulnerability arises from inadequate restrictions on media types during image uploads in the Open WebUI application. Specifically, attackers can upload malicious SVG files containing Base64-encoded JavaScript payloads, which are executed by the victim’s browser due to the application’s content handling mechanisms.
Impact on Different User Levels
The severity of this exploit varies based on the user’s permission level within the Open WebUI environment. If an administrator or user with high privileges encounters the malicious image link, the attacker can achieve 1-Click Remote Code Execution (RCE), creating a backdoor via the API.
Standard users are not immune, as the script can trigger an Account Takeover (ATO) by extracting authentication tokens and chat history, sending this data to an external server. This attack occurs without additional authentication if the user is already logged in.
Response and Mitigation Measures
This zero-day vulnerability persists in Open WebUI version 0.7.2, initially reported on March 10, 2026. However, the Open WebUI team dismissed the report as a duplicate on May 6, 2026, without providing an official fix, prompting Kandemir to publish the Proof of Concept (PoC) on May 8, 2026.
Organizations using Open WebUI are advised to implement manual defenses, including restricting file types to safe formats like JPEG and PNG while blocking SVG files. Users should be cautious of suspicious links, especially those directing to the Open WebUI application.
The absence of an official patch necessitates vigilant monitoring and proactive security measures to safeguard environments using Open WebUI.
