CVE-2026-45314 HIGH

CVE-2026-45314: Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

Vendor Open-Webui
Product open-webui
Weakness CWE-87
Published May 15, 2026
Last update May 18, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser. This vulnerability is fixed in 0.9.3.

Key dates

02Disclosure timeline

May 15, 2026 CVE published
May 18, 2026 Record updated