CVE-2026-45314: Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

May 14, 2026 (updated May 19, 2026)

The channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser.

References

github.com/advisories/GHSA-3856-3vxq-m6fc
github.com/open-webui/open-webui/releases/tag/v0.9.3
github.com/open-webui/open-webui/security/advisories/GHSA-3856-3vxq-m6fc
nvd.nist.gov/vuln/detail/CVE-2026-45314

Code Behaviors & Features

Detect and mitigate CVE-2026-45314 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →