Open WebUI, a self‑hosted offline AI platform, has a full Server‑Side Request Forgery flaw in its Retrieval‑Augmented Generation search function. The bug stems from the validate_url function, which incorrectly permits IPv6 addresses as valid because the validators library ignores the private flag. This oversight also allows IPv4‑mapped IPv6 addresses to bypass IPv4 checks, and reserved IPv4 ranges are not blocked, enabling an attacker to craft search queries that request arbitrary internal network resources. The flaw can lead to disclosure of internal data, lateral movement, or potentially further exploitation depending on the internal services accessed.

Any deployment of open‑webui using the open‑webui product before version 0.9.0 is vulnerable. The issue exists in all previous releases of the platform regardless of hosting environment and is documented in the open‑webui codebase. In particular, the backend module open_webui/retrieval/web/utils.py contains the faulty validate_url logic. There are no other vendors or products listed as affected.

The CVSS base score of 8.5 indicates a high severity vulnerability. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, which suggests a moderate exploitation likelihood at present, though the full SSRF capability represents an attractive target for attackers with access to the RAG search interface. Attackers can exploit the flaw by submitting malicious URLs via the web search feature, directing the server to internal services that it would otherwise be unable to reach. Based on the description, it is inferred that no authentication is required to exploit this vulnerability, as the ability to submit search queries is needed but no privilege escalation or authentication prerequisite is documented.