The vulnerability lies in the backend function that processes OAuth profile picture URLs. It unconditionally fetches the image from any URL declared in the OAuth provider’s picture claim. Because no validation or whitelisting is performed, an attacker can supply a forged claim pointing to an internal endpoint, forcing the Open WebUI server to make an HTTP request to that endpoint and retrieve the entire response, thus exfiltrating internal data. Open WebUI is a self‑hosted artificial intelligence platform that can run offline, yet this SSRF flaw allows externally supplied tokens to induce network calls to internal resources. The flaw is corrected in Open WebUI 0.9.0, after which the insecure URL fetching is removed.

Open WebUI, versions prior to 0.9.0, hosted on any platform where the backend runs the open_webui/utils/oauth.py module. The software is self‑hosted and designed to operate offline, but the flaw still allows remote users to trigger SSRF via the OAuth flow in affected installations.

The CVSS score of 7.7 reflects a medium‑to‑high severity vulnerability; the EPSS score is not available, so the current exploitation probability cannot be quantified, but the lack of mitigation indicates potential usage. The flaw is not listed in the CISA KEV catalog, suggesting no publicly documented active exploitation. Based on the description, it is inferred that an attacker can exploit the SSRF by simply authenticating through the OAuth provider and tampering with the picture URL claim in the token, which is generally possible if the provider allows configuration of the claim. The impact includes internal data exfiltration and potential compromise of internal services, making it critical to remediate promptly.