Cross-Site Scripting Vulnerability in Open WebUI by Open WebUI
CVE-2026-45314

7.4HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-45314?

Open WebUI, a self-hosted artificial intelligence platform, is vulnerable to a Cross-Site Scripting (XSS) flaw that permits the exploitation of arbitrary profile_image_url values in versions prior to 0.9.3. The channel webhook create/update process allows submission of malicious data, including SVG payloads in the format data:image/svg+xml;base64. When users access the profile-image URL, the application decodes and delivers the SVG content without proper sanitization, which can trigger potentially harmful script execution in the browser. This vulnerability is addressed in version 0.9.3, enhancing user security.

Affected Version(s)

open-webui < 0.9.3

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 11, 2026

CVE-2026-45314 Data

JSON

Open-webui

What is CVE-2026-45314?

Affected Version(s)

References

CVSS V4

Timeline