Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-45299 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:
data:text/html;base64,... in a new browser tab (raresvis, 2025-04-17) — when a victim right-clicks a user's profile picture and chooses "Open image in new tab", the browser navigates to the data: URL and executes embedded scripts in the data: origin. Limited to social-engineering / redirect attacks because the script does not run in the application origin.
data:image/svg+xml;base64,... re-served by the application origin (Gh05t666nero, 2026-01-09) — GET /api/v1/users/{user_id}/profile/image decoded the base64 and returned StreamingResponse(media_type=<user-controlled>) extracted from the data: header. With media_type=image/svg+xml and Content-Disposition: inline, the SVG-embedded scripts executed in the application origin, enabling JWT theft from localStorage and full account takeover of any user — including admins — who loaded the malicious profile image URL.
Both attack paths share the same root cause (lack of MIME-type validation on profile_image_url) and are closed by the same fix.
backend/open_webui/routers/users.py get_user_profile_image_by_id():
elif user.profile_image_url.startswith("data:image"):
header, base64_data = user.profile_image_url.split(",", 1)
image_data = base64.b64decode(base64_data)
image_buffer = io.BytesIO(image_data)
media_type = header.split(";")[0].lstrip("data:") # user-controlled
return StreamingResponse(
image_buffer,
media_type=media_type,
headers={"Content-Disposition": "inline"},
)
Commit 773787c74 (2026-02-11), first contained in tag v0.8.0, applies the field validator to every form that accepts (, , in and ). The validator explicitly rejects and any non-image data URI, allowing only plus known internal paths and URLs. This blocks both attack vectors at form submission time, so a malicious URL can no longer be persisted to the database.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
validate_profile_image_urlprofile_image_urlUserModelUpdateProfileFormSignupFormbackend/open_webui/models/users.pybackend/open_webui/models/auths.pydata:image/svg+xmldata:image/{png,jpeg,gif,webp};base64http(s)://data:text/html-via-new-tab pathdata:image/svg+xml-via-server-side path (the more severe origin-XSS vector that determined the consolidated CVSS)Per our Report Handling policy, the cluster is consolidated into the earliest filing with credit to every reporter who demonstrated a distinct exploitation path.
< 0.8.0>= 0.8.0