Open WebUI File Upload Vulnerability Enables One-Click RCE Attacks

A critical, unpatched vulnerability is actively threatening Open WebUI users, turning a simple profile picture upload into a gateway for complete system compromise.

Security researchers have publicly disclosed a severe stored Cross-Site Scripting (XSS) flaw that enables 1-click Remote Code Execution (RCE) and full account hijacking with no patch currently available.

The security flaw resides in the profile image upload feature of Open WebUI, specifically within its backend routing architecture.

Security researcher Metin Yunus Kandemir discovered that the application fails to properly validate media types when handling base64-encoded profile pictures.

An attacker can upload malicious JavaScript code using the data:image/svg+xml;base64 syntax, and when the server processes the upload, it decodes and returns the image data directly to the browser as a streaming response.

Because the system lacks a strict allowlist of safe image formats like JPEG or PNG, it blindly processes SVG files containing embedded malicious scripts.

Rather than forcing the file to download, the application renders it inline, causing the browser to execute the hidden code immediately.

Open WebUI File Upload Flaw

Exploiting this vulnerability requires minimal user interaction, making it especially dangerous in enterprise environments.

The attack chain unfolds in a few precise steps:

• Attackers craft a base64-encoded payload containing a reverse shell and upload it as a standard user profile photo
• A targeted phishing email is sent containing a redirect link pointing to the malicious profile image
• When the victim clicks the link, the application executes the JavaScript within their user context
• If the victim holds an administrator or workspace.tools privileges, the script silently calls the application’s API in the background, creates a new tool injected with reverse shell code, and triggers full RCE
• If a standard user clicks the link, the payload harvests local storage tokens and pulls chat logs, transmitting the stolen data to an attacker-controlled server for complete account takeover

The attack specifically targets these API endpoints:

Target Endpoint	Attack Function
/api/v1/tools/create	Remote Code Execution payload delivery
/api/v1/chats/all	Chat history extraction for account takeover
/api/v1/users/search	Target identification and enumeration
/api/v1/users/[user_id]/profile/image	Malicious SVG payload execution

The path to disclosure has been fraught with tension. Researchers originally reported the issue privately to Open WebUI maintainers in March, but developers closed the report two months later as a duplicate of a non-public advisory and refused to grant official acknowledgment.

Believing this response violated responsible disclosure norms, researchers published the technical details publicly to warn the community.

The vulnerability remains entirely unpatched in version 0.7.2. Until an official fix is released, users and administrators should take these immediate steps:

• Avoid clicking external links that redirect to your Open WebUI instance
• Manually patch the users.py code by restricting the media_type variable to a strict allowlist of safe formats such as JPEG and PNG
• Monitor API activity on the endpoints listed above for any suspicious or unauthorized calls
• Audit user privileges and limit workspace.tools access to minimize blast radius if an attack occurs

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Open WebUI File Upload Vulnerability Enables One-Click RCE Attacks appeared first on Cyber Security News.