Critical Security Advisory: Unpatched SVG-Based XSS in Open WebUI Leads to RCE and Full Account Takeover
A critical, unpatched vulnerability has been identified in Open WebUI, transforming a standard user interaction—uploading a profile picture—into a high-impact vector for complete system compromise. This flaw represents a significant security risk for organizations deploying Open WebUI for internal AI orchestration.
Security researchers have formally disclosed a severe Stored Cross-Site Scripting (XSS) vulnerability. Due to the way the application handles certain file types, this XSS can be escalated into 1-click Remote Code Execution (RCE) and comprehensive account hijacking.
Technical Breakdown: The Failure of Media Type Validation
The root cause of this vulnerability lies within the backend routing architecture responsible for handling profile image uploads. Security researcher Metin Yunus Kandemir discovered that the application fails to implement rigorous validation of media types when processing base64-encoded profile images.
The exploitation mechanism follows a specific technical path:
- Payload Injection: An attacker crafts a malicious payload using the
data:image/svg+xml;base64syntax. This allows the attacker to embed executable JavaScript directly within a Scalable Vector Graphics (SVG) file. - Improper Decoding: When the user uploads this “image,” the server decodes the base64 string and returns the content directly to the browser as a streaming response.
- Lack of Content Sanitization: Because the system lacks a strict allowlist (e.g., restricting uploads exclusively to
image/jpegorimage/png), it blindly processes the SVG. - Inline Execution: Instead of forcing a file download, the browser renders the SVG inline, triggering the embedded JavaScript execution within the context of the user’s active session.
Attack Vectors and Impact Escalation
The danger of this flaw is magnified by its minimal interaction requirements. For enterprise environments, this is particularly concerning as it can be weaponized via social engineering. An attacker can upload a base64-encoded payload containing a reverse shell as their profile photo and then distribute the direct URL to that image.
The severity of the impact is determined by the privilege level of the victim:
- Administrator / Workspace Tool Privileges: If a high-privilege user clicks the link, the script performs background API calls to
/api/v1/tools/create. It injects a tool containing reverse shell code, granting the attacker Remote Code Execution (RCE) on the underlying infrastructure. - Standard User: For non-admin users, the payload focuses on data exfiltration. The script harvests Local Storage tokens and scrapes chat logs via the
/api/v1/chats/allendpoint, transmitting sensitive intellectual property to an attacker-controlled server.
The discovery process has been marked by significant friction between researchers and the maintainers. While reported privately in March, the researchers allege that the developers closed the report as a “duplicate” of a non-public advisory without providing official acknowledgment or a clear remediation timeline. Consequently, the details have been made public to ensure the community can defend itself.