Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Scope is Changed because the bypass enables server-side fetches to internal systems outside the application's intended security boundary, consistent with SSRF protection failure; PR:L confirmed by authentication requirement.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.
AnalysisAI
Open WebUI's WEB_FETCH_FILTER_LIST blocklist enforcement fails to parse hostnames at label boundaries in versions prior to 0.10.0, enabling authenticated users to bypass administrator-configured host restrictions and trigger server-side fetches to internally restricted resources. Two bypass classes exist: embedding a blocked hostname in the URL path component (e.g., https://attacker.com/internal.corp/data) rather than the authority, and using a sibling domain sharing the blocked entry's suffix (e.g., evilinternalhost.example.com matching a blocklist entry for internalhost.example.com). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active, authenticated user account on the Open WebUI instance - CVSS PR:L is confirmed by the provided vector, meaning unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N captures the constrained baseline: exploitation requires authentication (PR:L), the scope is recorded as unchanged (S:U), and confidentiality impact is rated Low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged Open WebUI user submits a crafted URL with a blocked internal hostname embedded in the path component - for example, https://attacker.com/internal.corp.example.com/sensitive - or uses a sibling domain such as evilinternal.corp.example.com to circumvent a blocklist entry for internal.corp.example.com. The Open WebUI server fetches the resolved destination and returns its response to the user, potentially exposing cloud instance metadata credentials, internal API responses, or private network resources. … |
| Remediation | The primary remediation is upgrading Open WebUI to version 0.10.0 or later, which corrects the hostname matching logic to enforce label-boundary comparisons, eliminating both the path-based and sibling-domain bypass classes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42633