Skip to main content

Open WebUI CVE-2026-45347

| EUVDEUVD-2026-30648 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-14 https://github.com/open-webui/open-webui GHSA-f776-fp4w-266c
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:20 vuln.today
Analysis Generated
May 14, 2026 - 21:20 vuln.today
CVE Published
May 14, 2026 - 20:22 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

Blind server side request forgery (SSRF) via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.

Details

In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below.

PoC

Start a chat and export the PDF: !grafik

Intercept the request and insert an <img> tag into the title:

http
POST /api/v1/utils/pdf HTTP/2
Host: domain.local
//Some headers removed
Content-Type: application/json
Content-Length: 541
Te: trailers

{"title":"<img src='https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com' />","messages":[{"id":"81f24589-384d-431c-a26c-5cd3382ac941","parentId":null,"childrenIds":["0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e"],"role":"user","content":"hallo","timestamp":1736932102,"models":["gpt-4o-POC"]},{"parentId":"81f24589-384d-431c-a26c-5cd3382ac941","id":"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e","childrenIds":[],"role":"assistant","content":"Hallo! Wie kann ich Ihnen helfen?","model":"gpt-4o-POC","modelName":"gpt-4o-POC","modelIdx":0,"userContext":null,"timestamp":1736932103,"done":true}]}

A HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com.

Impact

A user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests.

Resolution

Fixed in commit 167c8bf00, first released in v0.5.11 (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (title, content, role, model, formatted date) in html.escape() before the template f-string is fed to fpdf2.write_html(). The PoC payload <img src='...' /> is escaped to &lt;img src=&#x27;...&#x27; /&gt; and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on >= 0.5.11 are not affected.

AnalysisAI

Blind server-side request forgery (SSRF) in Open WebUI versions prior to 0.5.11 allows authenticated users to force arbitrary GET requests from the server via malicious HTML image tags embedded in the PDF export function. The vulnerability exists because user-supplied input (title, content, role, model, and date fields) is interpreted as HTML before being passed to the PDF generator without proper sanitization, enabling attackers to enumerate internal assets and trigger outbound requests despite response content not being readable.

Technical ContextAI

Open WebUI's PDF generation functionality uses the fpdf2 library to convert user-provided chat data into PDF documents. The vulnerable code path flows through the pdf_generator.py module, which constructs an HTML template containing user-controlled fields (title, message content, role, model name, formatted timestamp) and passes this HTML directly to fpdf2's write_html() method. The fpdf2 library interprets HTML markup including image tags, causing the browser or PDF renderer to attempt to load the URL specified in the src attribute. Because HTML parsing occurs server-side before PDF generation, a malicious image tag with a server-reachable domain (e.g., attacker-controlled external service or internal IP) triggers a GET request from the server itself rather than the client, bypassing network controls. The root cause is CWE-918 (Server-Side Request Forgery), where insufficient input validation and lack of output encoding allows user input to be interpreted as control structures rather than data.

RemediationAI

Upgrade Open WebUI to version 0.5.11 or later, which patches the vulnerability by wrapping all user-controllable input fields (title, content, role, model, formatted date) in html.escape() before passing the HTML template to fpdf2.write_html(). The escaped output renders malicious HTML tags as literal text rather than parsed markup. Patch details and verification are available at the GitHub repository: https://github.com/open-webui/open-webui/commit/167c8bf00d165af523acfc3b870749f6be6d3e57 and security advisory https://github.com/open-webui/open-webui/security/advisories/GHSA-f776-fp4w-266c. No workaround is recommended for versions < 0.5.11 due to the inherent risk of SSRF and the simplicity of the fix; upgrading is the only reliable mitigation. Organizations unable to upgrade immediately should restrict PDF export functionality to trusted users or disable the feature entirely via configuration until patching is feasible.

Share

CVE-2026-45347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy