CVE-2026-54013
Undergoing Analysis Undergoing Analysis - In Progress
SVG XSS in Open WebUI Model Profile Images

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The ModelMeta class has no validate_profile_image_url field validator, and the model image serving endpoint has no MIME allowlist or nosniff header. Any authenticated user with workspace.models permission (enabled by default) can store a data:image/svg+xml;base64,... payload in a model's profile image and achieve full account takeover of anyone who navigates to the image URL. This vulnerability is fixed in 0.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54013
EUVD
EUVD-2026-38529
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open_webui open_webui to 0.9.6 (exc)
open_webui open_webui 0.9.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated user to perform a stored cross-site scripting (XSS) attack that can lead to full account takeover by stealing JWT tokens. This can result in unauthorized access to sensitive user data and administrative privileges.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Executive Summary

CVE-2026-54013 is a stored cross-site scripting (XSS) vulnerability in Open WebUI versions 0.9.5 and earlier. It occurs because the ModelMeta class does not validate the profile_image_url field, and the endpoint serving model profile images lacks a MIME type allowlist and security headers like X-Content-Type-Options.

An authenticated user with workspace.models permission can upload a malicious SVG image containing a script payload as a model profile image. When another user accesses this image URL, the embedded script executes in the Open WebUI origin, allowing the attacker to steal the victim's JWT token from localStorage.

This stolen token grants the attacker full account takeover capabilities, including changing passwords and gaining admin privileges. The vulnerability was introduced because previous fixes for similar XSS issues in user and webhook profile images were not applied to model profile images.

Impact Analysis

This vulnerability can lead to a full account takeover for users of Open WebUI. An attacker who exploits this flaw can steal authentication tokens, allowing them to impersonate victims, change passwords, and escalate privileges to admin level.

The impact includes loss of confidentiality since attackers can access sensitive user data, and potential integrity issues due to unauthorized changes in user accounts. The vulnerability has a high CVSS score of 7.6, indicating a serious security risk.

Detection Guidance

This vulnerability can be detected by checking if any model profile images contain SVG data with embedded scripts, especially those uploaded by authenticated users with workspace.models permission.

You can inspect the model profile image URLs and their content to see if they include data:image/svg+xml;base64 payloads that might contain malicious scripts.

Additionally, verify if the model image serving endpoint lacks MIME type allowlist enforcement or the X-Content-Type-Options security header.

Suggested commands include using curl or wget to fetch model profile images and checking HTTP headers, for example:

  • curl -I https://your-openwebui-instance/model-profile-image-url
  • curl https://your-openwebui-instance/model-profile-image-url | base64 -d | grep -i script
  • Inspect the database or storage where model profile images are stored for data:image/svg+xml;base64 strings.
Mitigation Strategies

The immediate mitigation step is to upgrade Open WebUI to version 0.9.6 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict or disable the workspace.models permission for users who do not require it to prevent malicious SVG uploads.

Additionally, review and remove any suspicious SVG model profile images containing embedded scripts.

Implement manual checks or temporary filters to block or sanitize SVG uploads in model profile images.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart