Open WebUI Vulnerability via File Upload Leads to 1-Click RCE Attack

HomeCyber Security News Open WebUI Vulnerability via File Upload Leads to 1-Click RCE Attack By Abinaya May 12, 2026 A single click can allow attackers to exploit a critical, unpatched flaw in Open WebUI to seize control of AI workspaces, execute remote code, hijack accounts, and steal sensitive chat histories. Discovered by security researcher Metin Yunus Kandemir, the vulnerability stems from a Stored Cross-Site Scripting (XSS) flaw in the platform’s profile image upload feature. Because the developers refused to acknowledge the finding, the exploit code is now public, leaving users exposed. The flaw exists in how Open WebUI processes user profile pictures. When a user uploads an image, the application relies on the /backend/open_webui/routers/users.py file to handle the data. Unfortunately, the code fails to restrict the types of media users can upload. Instead of uploading a standard JPEG or PNG, an attacker can upload a malicious SVG file containing a Base64-encoded JavaScript payload. Because the application uses an “inline” content disposition, it does not force the browser to download the file. PoC for RCE (source : usehacker) Instead, when a victim visits the image link, their browser immediately executes the hidden JavaScript. Open WebUI File Upload RCE The severity of the attack depends entirely on the victim’s permission level within the Open WebUI environment: Administrators: If an admin or a user with workspace privileges clicks the malicious image link, the attacker achieves 1-Click Remote Code Execution (RCE). The JavaScript quietly creates a malicious tool via the application’s API, opening a permanent backdoor. Standard Users: If a regular user clicks the link, the script triggers an Account Takeover (ATO). It silently scrapes the user’s browser storage to steal their authentication tokens and entirely copies their chat history, sending the private data to an external server. If the victim is already logged in, no further authentication is required. The attack happens instantly in the background. This zero-day vulnerability remains unpatched in Open WebUI version 0.7.2. Kandemir originally reported the issue to the vendor on March 10, 2026. However, on May 6, 2026, the Open WebUI team closed the report as a duplicate. They referenced an undisclosed security advisory and informed researcher UseHacker that his vulnerability report would not receive official recognition. According to UseHacker, Kandemir published the full Proof of Concept (PoC) on May 8, 2026, believing the response violated responsible disclosure policies. Because no official patch has been released, organizations using Open WebUI must implement manual defenses to protect their environments. Restrict File Types: Administrators should modify the backend code to enforce a strict allowlist for the media_type variable. Only safe formats like image/png, image/jpeg, image/gif, and image/webp should be accepted. Ensure image/svg+xml is entirely blocked. Avoid Suspicious Links: Until a patch is deployed, users must exercise extreme caution. Do not click on unexpected links that redirect to the Open WebUI application, especially URLs containing /profile/image or /auth?redirect=. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News New cPanel and WHM Flaws Enable Code Execution, DoS Attacks Critical “Cline” AI Agent Vulnerability Enables RCE Attacks Malicious NuGet Packages Target Browser Credentials, SSH Keys, and Crypto Wallets Hackers Use PlugX-Like DLL Sideloading Chain in Fake Claude Malware Campaign Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data Latest News ANY.RUN No Blind Spots: How Top MSSPs Prevent Incidents withLive Threat Visibility Cyber Security News Threat Actors Leverage Vercel’s AI Tools to Mass‑Produce Realistic Phishing Sites Cyber Security News Zoom Rooms and Workplace Vulnerabilities Allow Attackers to Escalate Privileges Cyber Security News New Stealthy Vidar Stealer Campaign Bypass EDR and Steal Credentials Cyber Security News SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA