{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aopenwebuiopen_webui/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.3,"id":"CVE-2025-64496"},{"cvss":8.7,"id":"CVE-2025-64495"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.9.4)"],"_cs_severities":["high"],"_cs_tags":["xss","stored-xss","oauth","open-webui"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eOpen WebUI versions 0.9.4 and earlier are vulnerable to a stored cross-site scripting (XSS) attack due to improper validation of profile images when users sign in via OAuth. The application fetches a URL provided in the OAuth \u003ccode\u003epicture\u003c/code\u003e claim, infers the MIME type from the URL extension, and stores it as a data URI without proper sanitization. Specifically, an attacker can host a malicious SVG file and set their profile picture URL to that file. When a victim clicks the link to the attacker\u0026rsquo;s profile image, the browser executes the SVG code, potentially leading to account takeover by exfiltrating the victim\u0026rsquo;s JWT token. This vulnerability is similar to CVE-2025-64496 and CVE-2025-64495, which highlights trust boundary errors in Open WebUI.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious SVG file containing JavaScript code to exfiltrate \u003ccode\u003elocalStorage.token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious SVG file on a publicly accessible server (e.g., \u003ccode\u003ehttps://attacker.example/p.svg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker configures their OAuth profile picture URL to point to the malicious SVG file.\u003c/li\u003e\n\u003cli\u003eThe attacker signs in to Open WebUI via OAuth, triggering the application to fetch and store the SVG data URI as their profile image.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a URL to their profile image endpoint (e.g., \u003ccode\u003ehttps://target.example/api/v1/users/\u0026lt;attacker-user-id\u0026gt;/profile/image\u003c/code\u003e) and shares it with a victim.\u003c/li\u003e\n\u003cli\u003eThe authenticated victim clicks on the link.\u003c/li\u003e\n\u003cli\u003eThe server serves the attacker-controlled SVG with \u003ccode\u003eContent-Type: image/svg+xml\u003c/code\u003e and \u003ccode\u003eContent-Disposition: inline\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser renders the SVG, executes the embedded JavaScript, and exfiltrates the victim\u0026rsquo;s JWT token to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to account takeover of any authenticated user who clicks the malicious link. The attacker can then access the victim\u0026rsquo;s chats, API keys, and potentially achieve remote code execution (RCE) via installed tools if the victim has the \u003ccode\u003eworkspace.tools\u003c/code\u003e permission. Furthermore, the lack of SSRF protection allows an attacker to potentially read internal resources by pointing the \u003ccode\u003epicture\u003c/code\u003e claim at internal URLs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement server-side MIME type validation in \u003ccode\u003e_process_picture_url\u003c/code\u003e (\u003ccode\u003eutils/oauth.py:1336-1345\u003c/code\u003e) to only allow \u003ccode\u003eimage/png\u003c/code\u003e, \u003ccode\u003eimage/jpeg\u003c/code\u003e, \u003ccode\u003eimage/gif\u003c/code\u003e, and \u003ccode\u003eimage/webp\u003c/code\u003e. Use the \u003ccode\u003eContent-Type\u003c/code\u003e response header instead of the URL extension.\u003c/li\u003e\n\u003cli\u003eEnforce a MIME whitelist in \u003ccode\u003eget_user_profile_image_by_id\u003c/code\u003e (\u003ccode\u003erouters/users.py:504-528\u003c/code\u003e) before building the \u003ccode\u003eStreamingResponse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply the \u003ccode\u003evalidate_profile_image_url\u003c/code\u003e validator at the model layer (\u003ccode\u003eUsers.update_user_profile_image_url_by_id\u003c/code\u003e), not just at the Pydantic form layer, to ensure all profile image updates are validated.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e and set a default Content Security Policy (CSP) to mitigate XSS attacks by setting the appropriate environment variables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:31:48Z","date_published":"2026-05-14T20:31:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-xss/","summary":"Open WebUI is vulnerable to stored cross-site scripting (XSS) via OAuth profile picture handling, allowing an attacker to inject malicious SVG code and potentially takeover user accounts by exfiltrating JWT tokens.","title":"Open WebUI Stored XSS Vulnerability via OAuth Profile Picture","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}