python · open-webuiCritical

Open WebUI <= 0.9.5 Stored XSS to Account Takeover via Model Profile Images

Stored XSS to account takeover via model profile images.

18 Jun 2026Read 1 minSeverity: act now

What changed

Stored XSS to account takeover via model profile images. ModelMeta class lacks input validation for profile_image_url, and the model image serving endpoint lacks MIME allowlist and nosniff header, allowing SVG XSS payloads to be stored and executed.

Who it affects

All users of Open WebUI <= 0.9.5, especially those with workspace.models permission (enabled by default). Attackers can steal JWT tokens and achieve full account takeover.

What to do today

Upgrade to a patched version or apply the recommended fix: add validate_profile_image_url to ModelMeta and add MIME allowlist + nosniff to the model image serving endpoint.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · open-webui

Open WebUI <= 0.9.5 Stored XSS to Account Takeover via Model Profile Images

What changed

Who it affects

What to do today

More on open-webui

vllm: Temperature validation silently passes NaN and +Inf values

vllm: Fix three image processing issues (EXIF orientation, PNG tRNS, APNG/GIF frames)