Critical Open WebUI Vulnerability Enables Remote Code Execution

Severity: High (Score: 66.8)

Sources: Gbhackers, Cybersecuritynews

Summary

A critical, unpatched vulnerability in Open WebUI allows attackers to exploit a stored Cross-Site Scripting (XSS) flaw through profile image uploads. This vulnerability enables 1-click Remote Code Execution (RCE), full account hijacking, and access to sensitive chat histories. Discovered by security researcher Metin Yunus Kandemir, the flaw poses a significant risk to users of the platform. Currently, there is no patch available, leaving systems vulnerable to exploitation. The flaw affects all users who utilize the profile image upload feature, potentially compromising AI workspaces and sensitive information. Security researchers have publicly disclosed the issue, emphasizing the urgency for users to secure their systems. Key Points: • Open WebUI has a critical unpatched XSS vulnerability allowing RCE and account hijacking. • The flaw is exploited via profile image uploads, affecting all users of the platform. • No patch is currently available, increasing the urgency for users to take preventive measures.

Key Entities

• XSS (vulnerability)
• Cwe-79 - Cross-site Scripting (xss) (cwe)
• T1190 - Exploit Public-Facing Application (mitre_attack)