Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
SSRF Bypass via IPv6/IPv4-mapped IPv6/IPv4-reserved-ranges in validate_url()
Summary
validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip, private=True), but the validators library does NOT implement the private keyword for IPv6 - the call raises a ValidationError (which is falsy in a boolean context), so every IPv6 address passes the filter. In addition, IPv4-mapped IPv6 (::ffff:10.0.0.1) bypasses the IPv4 check entirely, and several reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, etc.) are not blocked.
The vulnerability has existed since the validate_url() function was introduced and was NOT actually fixed by GHSA-c6xv-rcvw-v685 / CVE-2025-65958 despite that patch's intent. It affects every endpoint that calls validate_url(), including /api/v1/retrieval/process/web, /api/v1/images/edit, and others.
Affected code
backend/open_webui/retrieval/web/utils.py validate_url():
if validators.ipv6(ip, private=True):
# ValidationError is falsy - never raises
raise ValueError(...)Proof of concept
import validators
print(validators.ipv6("::1", private=True))
# ValidationError(func=ipv6, args={'reason': "ipv6() got an unexpected keyword argument 'private'", ...})End-to-end exploit:
import requests, ipaddress
OPEN_WEBUI_URL = "https://target"
TOKEN = "..."
TARGET_IPV4 = "169.254.169.254"
# AWS IMDSv1
mapped = "::ffff:" + TARGET_IPV4
requests.post(f"{OPEN_WEBUI_URL}/api/v1/retrieval/process/web",
headers={"Authorization": f"Bearer {TOKEN}"},
json={"collection_name": "", "url": f"http://[{mapped}]/latest/meta-data/iam/security-credentials/"})Impact
Any authenticated user can reach any internal IPv4/IPv6 address from the server process - cloud metadata, localhost-bound APIs, internal services. IMDSv1 reachability leads to IAM credential exfiltration.
Recommended fix
Replace the validators library calls with stdlib ipaddress:
import ipaddress
addr = ipaddress.ip_address(ip)
if addr.is_private or addr.is_loopback or addr.is_link_local or addr.is_multicast or addr.is_reserved or addr.is_unspecified:
raise ValueError(...)
# also unwrap IPv4-mapped IPv6 and re-check:
if isinstance(addr, ipaddress.IPv6Address) and addr.ipv4_mapped:
addr_v4 = addr.ipv4_mapped
if addr_v4.is_private or addr_v4.is_loopback or ...:
raise ValueError(...)
# plus explicit blocks for IANA reserved ranges (0.0.0.0/8, 100.64.0.0/10, etc. - see body for full list).Related but separate advisories
- Redirect-bypass cluster: GHSA-rh5x-h6pp-cjj6
- DNS rebinding TOCTOU: GHSA-h6x2-583h-x99r
- urlparse / requests parsing-differential: GHSA-8w7q-q5jp-jvgx
- Playwright loader redirect: GHSA-jrfp-m64g-pcwv
- Missing
validate_url()call in image_generations: GHSA-h7cc-wwjp-5xqh
Credits
- Dor Konis (dkonis, GE Vernova) - first to identify the
validators.ipv6(private=True)silent-fail and IPv4-mapped IPv6 bypass; GHSA-4v7r-f4w8-8972 (this filing, 2024-09-11; credit explicitly requested in original report). - wlayzz - first to identify the unblocked IPv4 reserved ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.2.0/24, 198.18.0.0/15, 203.0.113.0/24, etc.); GHSA-pxgj-3gvh-mfjv.
Subsequent filings (GHSA-mggf-94hh-vp4w by vnth4nhnt, GHSA-xhgr-g5q7-jg6p by L1M1T-HACK) re-described the same root cause on the same or different endpoints and were closed as duplicates without advisory credit - fixing validate_url() once resolves all of them.
AnalysisAI
Server-Side Request Forgery in Open WebUI's validate_url() function allows authenticated attackers to reach internal IPv4/IPv6 addresses, bypassing security controls via three distinct flaws: the validators library silently fails on IPv6 private-address checks (raising ValidationError which evaluates as falsy), IPv4-mapped IPv6 addresses (::ffff:10.0.0.1) evade IPv4 filtering entirely, and multiple IANA-reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15, 203.0.113.0/24) remain unblocked. The vulnerability persists in the RAG web search, image editing, and other endpoints despite an earlier incomplete remediation attempt (CVE-2025-65958), enabling exfiltration of AWS IMDSv1 credentials and access to localhost-bound services. Publicly available exploit code exists (demonstrated POC in advisory), affecting Open WebUI ≤0.8.12 with fix released in version 0.9.0.
Technical ContextAI
The root cause is a triple logic error in URL validation middleware used across Open WebUI's Python Flask backend. First, the validators.ipv6(ip, private=True) call in validate_url() triggers an exception because the validators library 1.0.x does not support the private keyword argument for IPv6 addresses-this ValidationError exception object is falsy in Python boolean context, causing the subsequent if check to always fail and never raise the intended ValueError. Second, IPv4-mapped IPv6 addresses (RFC 4291 format ::ffff:<IPv4>) are parsed as valid IPv6 by the URL parser but skip the IPv4 private-address checks entirely, creating a cross-protocol bypass. Third, the IPv4 filtering logic omits IANA-reserved ranges defined in RFC 1122 (0.0.0.0/8), RFC 6598 (100.64.0.0/10 shared address space), RFC 5737 (documentation ranges), and RFC 2544 (198.18.0.0/15 benchmarking). This CWE-918 (Server-Side Request Forgery) vulnerability affects pkg:pip/open-webui where URL validation gates access to external retrieval endpoints-the same validate_url() function is called by /api/v1/retrieval/process/web, /api/v1/images/edit, and related RAG (Retrieval-Augmented Generation) features that fetch remote content on behalf of users.
RemediationAI
Upgrade immediately to Open WebUI version 0.9.0 or later, available via pip (pip install --upgrade open-webui) or from the GitHub release at https://github.com/open-webui/open-webui/releases/tag/v0.9.0. The fix replaces the flawed validators library calls with Python's stdlib ipaddress module, implementing proper checks for is_private, is_loopback, is_link_local, is_multicast, is_reserved, and is_unspecified on both native IPv6 and unwrapped IPv4-mapped IPv6 addresses, plus explicit blocks for IANA-reserved IPv4 ranges. If immediate upgrade is not feasible, apply compensating network controls: restrict Open WebUI server egress to only required external domains via firewall rules (blocks SSRF to internal ranges), disable the RAG web search and image editing features via application configuration (prevents access to vulnerable endpoints, eliminates core content retrieval functionality), and deploy IMDSv2 enforcement on cloud instances (mitigates AWS credential theft but does not address broader internal network exposure). Network-level egress filtering is the most effective temporary control but requires precise allowlisting of legitimate external services; disabling features reduces attack surface at the cost of application functionality. No configuration-only workaround fully mitigates the underlying code flaw.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30611
GHSA-4v7r-f4w8-8972