Skip to main content

Open WebUI CVE-2026-54008

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-17 https://github.com/open-webui/open-webui GHSA-226f-f24g-524w
Python PostgreSQL Microsoft Docker Redis SSRF Oracle Google Elastic
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
8.5 HIGH

Network reachable OAuth login flow, no UI, requires any IdP identity (PR:L); SSRF reaches systems beyond auth boundary (S:C); high read of internal data (C:H), limited integrity from stored profile field (I:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 18, 2026 - 01:30 vuln.today
Analysis Generated
Jun 18, 2026 - 01:30 vuln.today
CVE Published
Jun 17, 2026 - 14:10 github-advisory
HIGH 8.5

DescriptionGitHub Advisory

Summary

backend/open_webui/utils/oauth.py::_process_picture_url (v0.9.5, lines 1435-1470) calls validate_url(picture_url) on the initial URL only, then invokes aiohttp.ClientSession.get(picture_url, ...) without allow_redirects=False. aiohttp's default is allow_redirects=True, max_redirects=10; the function does not pass the project's AIOHTTP_CLIENT_ALLOW_REDIRECTS env constant either. An attacker with a valid OAuth IdP identity can therefore submit a public URL that 302-redirects to an internal address and read the internal response body via the attacker's own profile_image_url field.

This is the same redirect-bypass class as CVE-2026-45401 (GHSA-rh5x-h6pp-cjj6), on a 6th call site that the v0.9.5 patch missed. CVE-2026-45401's advisory body enumerates exactly five affected paths — SafeWebBaseLoader._scrape, _fetch, get_content_from_url, load_url_image, get_image_base64_from_url — none in utils/oauth.py.

Vulnerable code (v0.9.5)

backend/open_webui/utils/oauth.py, lines 1435-1470:

python
async def _process_picture_url(self, picture_url: str, access_token: str = None) -> str:
    if not picture_url:
        return '/user.png'
    try:
        validate_url(picture_url)
# initial URL only

        get_kwargs = {}
        if access_token:
            get_kwargs['headers'] = {'Authorization': f'Bearer {access_token}'}
        async with aiohttp.ClientSession(trust_env=True) as session:
            async with session.get(picture_url, **get_kwargs,
                                   ssl=AIOHTTP_CLIENT_SESSION_SSL) as resp:
#                       ^^^^^^^^^^^ no allow_redirects=False
                if resp.ok:
                    picture = await resp.read()
                    base64_encoded_picture = base64.b64encode(picture).decode('utf-8')
                    guessed_mime_type = mimetypes.guess_type(picture_url)[0]
                    if guessed_mime_type is None:
                        guessed_mime_type = 'image/jpeg'
                    return f'data:{guessed_mime_type};base64,{base64_encoded_picture}'
                ...

The function is invoked at oauth.py:1556 (new-user OAuth signup) and oauth.py:1536 (existing-user picture update on login). Neither call site re-validates after redirect-following.

backend/open_webui/retrieval/web/utils.py (v0.9.5) imports the env constant AIOHTTP_CLIENT_ALLOW_REDIRECTS at line 51 and uses it on the five paths patched by CVE-2026-45401. utils/oauth.py does not import or reference it.

Exploitation

Preconditions:

  • ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true (common in production OAuth-IdP deployments)
  • Attacker has a valid identity on the configured OAuth IdP (Google, Microsoft, GitHub, or any generic OIDC provider)

Steps:

  1. Attacker hosts a redirect endpoint at http://attacker.example/r on a public IP. validate_url("http://attacker.example/r") returns True (is_global=True for public IPs).
  2. Attacker sets their IdP picture claim to http://attacker.example/r.
  3. Attacker signs in to open-webui via OAuth. open-webui invokes _process_picture_url("http://attacker.example/r", ...).
  4. validate_url accepts the public URL. session.get("http://attacker.example/r") is invoked.
  5. attacker.example responds HTTP/1.1 302 Found\r\nLocation: http://127.0.0.1:11434/api/tags. (Or http://169.254.169.254/latest/meta-data/iam/security-credentials/, RFC1918 internal services, etc.)
  6. aiohttp follows the redirect server-side. No re-validation.
  7. The internal response body is read into picture, base64-encoded, and stored as profile_image_url = "data:image/jpeg;base64,..." on the attacker's account.
  8. Attacker reads back via GET /api/v1/auths/. Decode the base64 payload to get the full internal response body.

Impact

Full-read SSRF, identical read-back primitive to CVE-2026-45338:

  • Cloud metadata services (AWS IMDSv1 at 169.254.169.254, GCP metadata.google.internal, Azure IMDS) → IAM credentials, managed-identity tokens
  • Localhost-bound services (Ollama at :11434, Redis, Elasticsearch, internal Postgres exporters)
  • RFC1918 internal infrastructure not exposed to the internet

Distinction from prior CVEs

Prior CVEThis findingDistinguishing fact
CVE-2026-45338 (GHSA-24c9)_process_picture_url had no validate_url() call at allFixed in v0.9.0 by adding the call. Ours is the call being insufficient because it doesn't loop over redirect targets. Different mechanism, different fix.
CVE-2026-45400 (GHSA-8w7q)validate_url() had urlparse-vs-requests parser disagreement on \@ charsFixed in v0.9.5 by char-blocklist. Ours is post-validation redirect-following — orthogonal mechanism.
CVE-2026-45401 (GHSA-rh5x)Five paths in retrieval, routers/images, utils/files, utils/middlewareParent class. Same CWE-918 redirect-bypass mechanism. utils/oauth.py::_process_picture_url is not among the five paths in the parent advisory's "Affected code paths" section. Same class, missed sink. Direct sibling.

Suggested fix

python
async with session.get(
    picture_url,
    **get_kwargs,
    ssl=AIOHTTP_CLIENT_SESSION_SSL,
    allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS,
# add
) as resp:

Or, if redirects must remain enabled by default, wrap in a manual-follow loop that re-invokes validate_url() on each Location header. This mirrors the fix shape applied to the five paths in CVE-2026-45401.

Affected versions

Vulnerable: <= 0.9.5 Fix: 0.9.6

References

  • CVE-2026-45401 / GHSA-rh5x-h6pp-cjj6 (parent cluster, redirect-bypass on 5 paths)
  • CVE-2026-45338 / GHSA-24c9-2m8q-qhmh (original _process_picture_url SSRF, patched v0.9.0)
  • CVE-2026-45400 / GHSA-8w7q-q5jp-jvgx (validate_url parser-disagreement bypass, patched v0.9.5)
  • open-webui issue #24560 (corroborates that the v0.9.5 redirect-fix was applied piecemeal across call sites)

Proof of Concept

End-to-end PoC executed against ghcr.io/open-webui/open-webui:v0.9.5 in Docker compose. Three services: attacker (OIDC IdP + 302-redirect endpoint on evil.example.com:9001/redirect), canary (internal target on internal-target.local:9002/sentinel), open-webui v0.9.5.

Fresh-CSPRNG sentinel generated after OAuth state-establishing call (per Gate 5.5 oracle protocol): SSRF-POC-5580111b2a0d7d0c8324bfa92a0d9d09.

Result:

  • profile_image_url field after OAuth login: data:image/jpeg;base64,U1NSRi1QT0MtNTU4MDExMWIyYTBkN2QwYzgzMjRiZmE5MmEwZDlkMDk=
  • Base64 decode: SSRF-POC-5580111b2a0d7d0c8324bfa92a0d9d09 (byte-for-byte sentinel match)
  • Canary log: !!! SSRF HIT - sentinel served

Chain confirmed: OAuth login → IdP returns picture claim evil.example.com:9001/redirect → validate_url() accepts FQDN → aiohttp.ClientSession.get(...) follows 302 to internal-target.local:9002/sentinel server-side without re-validation → response body base64-encoded into attacker's profile_image_url → readable via GET /api/v1/auths/.

PoC artifacts (compose, attacker server, canary, run/verify scripts, full transcript) available on request.

Reporter

Matteo Panzeri — GitHub: matte1782, contact: matteo1782@gmail.com. Requesting CVE credit as Matteo Panzeri.

Articles & Coverage 1

News 3 New Docker Vulnerabilities - 3 High Severity Jun 18, 2026

AnalysisAI

Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the _process_picture_url function in backend/open_webui/utils/oauth.py, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's profile_image_url and retrievable via GET /api/v1/auths/, yielding cloud metadata credentials and access to localhost-bound services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register identity on configured OAuth IdP
Delivery
Host public 302-redirect endpoint pointing at internal target
Exploit
Set IdP picture claim to attacker redirect URL
Install
Initiate OAuth login to Open WebUI
C2
Backend follows redirect server-side without revalidation
Execute
Internal response body base64-stored in profile_image_url
Impact
Read /api/v1/auths/ and decode internal data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) Open WebUI <= 0.9.5 deployed with either `ENABLE_OAUTH_SIGNUP=true` or `OAUTH_UPDATE_PICTURE_ON_LOGIN=true` (both common in OAuth-IdP production deployments), (2) a configured OAuth/OIDC IdP on which the attacker can hold or register an identity and control the `picture` claim - Google, Microsoft, GitHub, or any generic OIDC provider satisfies this, (3) an attacker-controlled HTTP endpoint on a public IP that returns an HTTP 3xx with a `Location` header pointing at the desired internal target, and (4) the Open WebUI backend having network reachability to the targeted internal address (loopback, RFC1918, or cloud-metadata IP). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (8.5 High) is consistent with the technical facts: network-reachable endpoint, low complexity, scope change from the web app into adjacent internal services, and high confidentiality impact via the read-back primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free identity on the target's configured OAuth IdP (e.g., Google), points the IdP `picture` claim at `http://attacker.example/r`, and signs in to Open WebUI; the backend fetches the public URL, follows the attacker's 302 redirect to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`, and stores the base64-encoded IMDS response in the attacker's `profile_image_url`. The attacker then calls `GET /api/v1/auths/`, base64-decodes the field, and recovers AWS IAM credentials or any localhost-bound service response (Ollama on `:11434`, Redis, Postgres exporters). …
Remediation Vendor-released patch: upgrade `open-webui` to version 0.9.6 or later (pip/PyPI and the corresponding `ghcr.io/open-webui/open-webui` image tag), per advisory GHSA-226f-f24g-524w at https://github.com/open-webui/open-webui/security/advisories/GHSA-226f-f24g-524w. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Open WebUI 0.9.5 and earlier deployments and disable public OAuth authentication if operationally feasible; immediately audit access logs for profile_image_url manipulation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL
9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co
CVE-2026-38716 CRITICAL
9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co
CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-55518 CRITICAL
9.6 Jun 17

Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 al

Share

CVE-2026-54008 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy