Critical Unpatched XSS Flaw in Open WebUI Enables 1-Click RCE and Account Takeover
Security researchers have disclosed a severe stored Cross-Site Scripting (XSS) vulnerability in Open WebUI, allowing attackers to achieve remote code execution (RCE) or full account hijacking with minimal user interaction. The flaw, discovered by researcher Metin Yunus Kandemir, stems from improper validation of profile image uploads, specifically when handling base64-encoded SVG files.
How the Attack Works
The vulnerability exploits Open WebUI’s backend routing, where the system fails to enforce strict file-type restrictions. Attackers can embed malicious JavaScript in an SVG file using the data:image/svg+xml;base64 format. When uploaded as a profile picture, the server processes and renders the file inline, executing the embedded code in the victim’s browser.
The attack chain unfolds in two scenarios:
- Administrator/Privileged User Compromise – If the victim has elevated access, the payload silently calls Open WebUI’s API to create a malicious tool, injecting a reverse shell for full RCE.
- Standard User Account Takeover – For non-privileged users, the payload extracts local storage tokens and chat logs, transmitting them to an attacker-controlled server.
Key targeted API endpoints include:
/api/v1/tools/create(RCE payload delivery)/api/v1/chats/all(chat history extraction)/api/v1/users/search(user enumeration)/api/v1/users/[user_id]/profile/image(malicious SVG execution)
Disclosure and Current Status
Researchers privately reported the issue to Open WebUI maintainers in March, but the report was closed as a duplicate of a non-public advisory, with no official acknowledgment. Frustrated by the lack of response, researchers publicly disclosed the flaw to warn users.
As of version 0.7.2, the vulnerability remains unpatched. Until an official fix is released, organizations using Open WebUI are exposed to phishing-driven attacks, where a single click on a malicious link could trigger exploitation. The flaw is particularly dangerous in enterprise environments, where compromised admin accounts could lead to widespread system breaches.
Source: https://cyberpress.org/open-webui-file-upload-vulnerability/
Open WebUI cybersecurity rating report: https://www.rankiteo.com/company/open-webui
"id": "OPE1778588739",
"linkid": "open-webui",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations and users '
'deploying Open WebUI '
'(especially enterprise '
'environments)',
'industry': 'Technology, Artificial Intelligence',
'name': 'Open WebUI',
'type': 'Software (Open-Source AI Interface)'}],
'attack_vector': 'Malicious SVG file upload (base64-encoded)',
'customer_advisories': 'Users are advised to avoid uploading SVG files and '
'monitor for suspicious activity.',
'data_breach': {'data_exfiltration': 'Yes (payload transmits data to '
'attacker-controlled server)',
'file_types_exposed': ['SVG', 'Local storage data (JSON)'],
'personally_identifiable_information': 'Yes (authentication '
'tokens, user data)',
'sensitivity_of_data': 'High (PII, authentication '
'credentials, internal communications)',
'type_of_data_compromised': ['Authentication tokens',
'Chat logs',
'User profile data',
'System access (via RCE)']},
'description': 'Security researchers have disclosed a severe stored '
'Cross-Site Scripting (XSS) vulnerability in Open WebUI, '
'allowing attackers to achieve remote code execution (RCE) or '
'full account hijacking with minimal user interaction. The '
'flaw stems from improper validation of profile image uploads, '
'specifically when handling base64-encoded SVG files. '
'Attackers can embed malicious JavaScript in an SVG file, '
"which executes when rendered in the victim's browser, leading "
'to RCE or account takeover.',
'impact': {'brand_reputation_impact': 'High (public disclosure of unpatched '
'critical vulnerability)',
'data_compromised': 'Local storage tokens, chat logs, user '
'enumeration data, profile images',
'identity_theft_risk': 'High (PII and authentication tokens '
'exposed)',
'operational_impact': 'Potential full system compromise via RCE, '
'account takeover, data exfiltration',
'systems_affected': 'Open WebUI (versions up to 0.7.2)'},
'initial_access_broker': {'high_value_targets': 'Administrators/privileged '
'users (for RCE), standard '
'users (for account '
'takeover)'},
'investigation_status': 'Publicly disclosed; unpatched as of version 0.7.2',
'lessons_learned': 'Importance of strict file-type validation for user '
'uploads, timely patching of critical vulnerabilities, and '
'transparent communication between security researchers '
'and maintainers.',
'post_incident_analysis': {'corrective_actions': 'Implement strict file-type '
'validation, sanitize SVG '
'uploads, enforce CSP, and '
'patch the vulnerability.',
'root_causes': 'Improper validation of SVG file '
'uploads, lack of Content Security '
'Policy (CSP), insufficient API '
'endpoint protections'},
'recommendations': ['Avoid uploading SVG files in Open WebUI until a patch is '
'released.',
'Restrict Open WebUI access to trusted users only.',
'Monitor for suspicious API calls (e.g., '
'`/api/v1/tools/create`, `/api/v1/chats/all`).',
'Implement a Web Application Firewall (WAF) to block '
'malicious SVG payloads.',
'Upgrade to a patched version immediately upon release.'],
'references': [{'source': 'Security Researcher (Metin Yunus Kandemir)'}],
'response': {'communication_strategy': 'Public disclosure by security '
'researchers due to lack of maintainer '
'response',
'remediation_measures': 'No official patch available as of '
'version 0.7.2. Users advised to avoid '
'uploading SVG files or restrict Open '
'WebUI access.'},
'stakeholder_advisories': 'Organizations using Open WebUI should assess '
'exposure and implement mitigations until a patch '
'is available.',
'title': 'Critical Unpatched XSS Flaw in Open WebUI Enables 1-Click RCE and '
'Account Takeover',
'type': 'Stored Cross-Site Scripting (XSS)',
'vulnerability_exploited': 'Improper validation of profile image uploads (SVG '
'files with embedded JavaScript)'}