[GH-ISSUE #19519] issue: Base64 encoded images included in API responses #34440

New Issue

Closed

opened 2026-04-25 08:26:34 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-25 08:26:34 -05:00

Owner

Copy Link

Originally created by @luke-wren on GitHub (Nov 26, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/19519

Check Existing Issues

• I have searched for any existing and/or related issues.
• I have searched for any existing and/or related discussions.
• I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
• I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.40

Ollama Version (if applicable)

No response

Operating System

Amazon Linux 2023

Browser (if applicable)

Chrome 142.0.7444.60

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided every relevant configuration, setting, and environment variable used in my setup.
• I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
• I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
• Start with the initial platform/version/OS and dependencies used,
• Specify exact install/launch/configure commands,
• List URLs visited, user input (incl. example values/emails/passwords if needed),
• Describe all options and toggles enabled or changed,
• Include any files or environmental changes,
• Identify the expected and actual result at each stage,
• Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

API responses that include user avatars should return a URL (or relative path) to the image, not an inlined base64 encoded image. This allows the browser and any intermediate caches to reuse the image rather than re-sending it on every request.

Several endpoints currently include a user object in their payloads. I would expect the profile_image_url field on that object to be a URL, similar to:

"user": {
"id": "c77a1139-75e1-4392-ab1c-1a2e8c69b086",
"name": "User",
"email": "user@example.com",
"role": "admin",
"profile_image_url": "/path/to/avatar.png"
}

For comparison, the model metadata returned from /api/v1/models/list already uses profile_image_url as a relative URL to an image, which is the behaviour I would expect for the user object as well.

Endpoints where I have observed this issue with the user object include:

• /api/v1/tools
• /api/v1/models
• /api/v1/models/list
• /api/v1/tools/list
• /api/v1/prompts/list
• /api/v1/knowledge/list
• /api/v1/users

Actual Behavior

In API payloads, the user.profile_image_url field often contains a large base64 encoded image instead of a URL.

For users with high resolution avatars, this can inflate the response size significantly. In my case, some responses are over 23 MB purely due to repeated base64 avatar data.

Steps to Reproduce

These steps focus on /api/v1/models/list, but the behaviour is similar on other endpoints that include a user object.

1. Run Open WebUI via Docker with the default configuration.
2. Upload a custom avatar for your user.
   • Note: Open WebUI crops uploaded avatars to 250x250, but IdP synced avatars are not cropped.
3. Create a model.
4. Call the API: curl http://localhost:3000/api/v1/models/list
5. Inspect the JSON response and observe that the user.profile_image_url field contains a large base64 encoded image instead of a URL.

Logs & Screenshots

Additional Information

When a user uploads their own avatar, Open WebUI crops it to 250x250, which helps limit the maximum file size.

However, when user avatars are synced from a third party identity provider (Azure Entra ID in my case), they are not cropped. Some of these synced avatars are large (for example, 2000x2000), which results in very large base64 blobs being embedded into API responses wherever the user object is included.

This combination of uncropped high resolution avatars and base64 inlining in multiple endpoints leads to very large response sizes and unnecessary bandwidth usage.

Originally created by @luke-wren on GitHub (Nov 26, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/19519 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.40 ### Ollama Version (if applicable) _No response_ ### Operating System Amazon Linux 2023 ### Browser (if applicable) Chrome 142.0.7444.60 ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior API responses that include user avatars should return a URL (or relative path) to the image, not an inlined base64 encoded image. This allows the browser and any intermediate caches to reuse the image rather than re-sending it on every request. Several endpoints currently include a user object in their payloads. I would expect the profile_image_url field on that object to be a URL, similar to: "user": { "id": "c77a1139-75e1-4392-ab1c-1a2e8c69b086", "name": "User", "email": "user@example.com", "role": "admin", "profile_image_url": "/path/to/avatar.png" } For comparison, the model metadata returned from /api/v1/models/list already uses profile_image_url as a relative URL to an image, which is the behaviour I would expect for the user object as well. Endpoints where I have observed this issue with the user object include: - /api/v1/tools - /api/v1/models - /api/v1/models/list - /api/v1/tools/list - /api/v1/prompts/list - /api/v1/knowledge/list - /api/v1/users ### Actual Behavior In API payloads, the user.profile_image_url field often contains a large base64 encoded image instead of a URL. For users with high resolution avatars, this can inflate the response size significantly. In my case, some responses are over 23 MB purely due to repeated base64 avatar data. ### Steps to Reproduce These steps focus on /api/v1/models/list, but the behaviour is similar on other endpoints that include a user object. 1. Run Open WebUI via Docker with the default configuration. 2. Upload a custom avatar for your user. • Note: Open WebUI crops uploaded avatars to 250x250, but IdP synced avatars are not cropped. 3. Create a model. 4. Call the API: curl http://localhost:3000/api/v1/models/list 5. Inspect the JSON response and observe that the user.profile_image_url field contains a large base64 encoded image instead of a URL. ### Logs & Screenshots <img width="938" height="1031" alt="Image" src="https://github.com/user-attachments/assets/22eb342c-8acc-4ff2-a754-7c3d112305a5" /> ### Additional Information When a user uploads their own avatar, Open WebUI crops it to 250x250, which helps limit the maximum file size. However, when user avatars are synced from a third party identity provider (Azure Entra ID in my case), they are not cropped. Some of these synced avatars are large (for example, 2000x2000), which results in very large base64 blobs being embedded into API responses wherever the user object is included. This combination of uncropped high resolution avatars and base64 inlining in multiple endpoints leads to very large response sizes and unnecessary bandwidth usage.

GiteaMirror added the bug label 2026-04-25 08:26:34 -05:00

GiteaMirror closed this issue 2026-04-25 08:26:34 -05:00

GiteaMirror commented 2026-04-25 08:26:35 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Nov 27, 2025):

Should be addressed with 384753c6ca in dev!

<!-- gh-comment-id:3584000248 --> @tjbck commented on GitHub (Nov 27, 2025): Should be addressed with 384753c6cae0dec972e477ec7d94fa4849f52321 in dev!

GiteaMirror commented 2026-04-25 08:26:36 -05:00

Author

Owner

Copy Link

@silentoplayz commented on GitHub (Nov 30, 2025):

Can this be closed?

<!-- gh-comment-id:3592327955 --> @silentoplayz commented on GitHub (Nov 30, 2025): Can this be closed?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#34440