Open WebUI File Upload Vulnerability Enables 1-Click RCE Attack

Open WebUI has become a popular front‑end for AI‑driven chat assistants, offering a simple interface for teams to manage prompts, tools, and conversation history. The newly disclosed vulnerability exploits the platform’s image‑upload pipeline, which accepts base64‑encoded SVG files without enforcing a strict MIME‑type allowlist. Because SVG can embed executable JavaScript, an attacker can store a malicious payload that the server streams back to any viewer, turning a benign‑looking profile picture into a weaponized script. This type of stored cross‑site scripting is especially dangerous when the application renders the image inline, bypassing download prompts and executing code in the context of the logged‑in user.

The attack chain is straightforward yet potent: a crafted SVG containing a reverse‑shell script is uploaded as a user avatar, then a phishing email or direct link lures a target—preferably an admin with workspace.tools privileges—to view the image. Once rendered, the script calls Open WebUI’s internal APIs, such as /api/v1/tools/create, to plant a new tool loaded with malicious code, achieving full remote code execution. Even standard users face severe consequences, as the script can scrape local‑storage tokens and exfiltrate chat logs, enabling complete account takeover. Compared with typical XSS bugs, this flaw requires only a single click, dramatically lowering the barrier for exploitation and raising the threat profile for organizations that host the UI on internal networks.

Open WebUI’s maintainers have not yet issued a patch for version 0.7.2, leaving administrators to apply manual mitigations. The immediate fix involves editing the users.py module to enforce an allowlist that accepts only safe image formats like JPEG and PNG, rejecting SVG uploads entirely. Longer‑term, the incident underscores the need for robust input validation and content‑type sanitization in any web application that processes user‑generated media. Security teams should monitor for anomalous API calls, enforce least‑privilege access to tool‑creation endpoints, and consider deploying web‑application firewalls that can detect and block malicious SVG payloads. The broader lesson is clear: even seemingly innocuous features such as profile pictures can become vectors for full system compromise if developers overlook strict media validation.