Open WebUI Stored Cross-Site Scripting Vulnerability via Malicious File Upload

A stored cross-site scripting vulnerability has been identified in Open WebUI versions prior to 0.9.3. The issue arises in the audio transcription upload endpoint, where the file extension is derived from the user-supplied filename and saved in the cache directory. The cached files are served without a Content-Disposition header, allowing a verified user with the chat.stt permission to upload a polyglot WAV+HTML file. This file can then be used to execute scripts in the Open WebUI origin by tricking another user into opening the file's URL.

Impact

Exploitation of this vulnerability allows for authenticated stored cross-site scripting in the Open WebUI origin, accessible to any verified user with the chat.stt permission. The injected script runs after a single click from another authenticated user, potentially leading to session-token theft and full account takeover, including admin accounts. With an admin token, it could allow in-process code execution on the server through Open WebUI's admin-only plugin mechanism, although this is not covered in this report.

Reproduction

To reproduce this vulnerability, upload a polyglot WAV+HTML file named 'pwn.html' to the audio transcription endpoint. Ensure that the file is treated as 'audio/wav' by the server. Once uploaded, the file can be accessed through the cache route, where it will be served as 'text/html' without a 'Content-Disposition' header. This allows any embedded scripts to execute in the Open WebUI origin.

Remediation

Users can update to Open WebUI version 0.9.3 or later, where this vulnerability is fixed. Alternatively, the 'USER_PERMISSIONS_CHAT_STT' setting can be disabled for non-admin users to prevent them from uploading files that could exploit this vulnerability.