Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5.
Published: 2026-05-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server‑side request forgery flaw allows an authenticated user to submit a publicly reachable URL that redirects to a private or metadata address. The backend follows the redirect without re‑checking the target against the blocked IP list, returning the internal response body to the attacker and exposing sensitive information or enabling further exploitation. The weakness is identified as CWE‑918.

Affected Systems

All installations of Open WebUI older than version 0.9.5 are affected. The vulnerability manifests in backend functions that retrieve external content, including the web‑fetch and image‑load endpoints, and any route that uses these helpers. Users should ensure their Open WebUI instance is upgraded to 0.9.5 or later to receive the fix.

Risk and Exploitability

The CVSS score is 8.5, indicating high severity. While the EPSS score is not publicly available, the vulnerability is not listed in CISA's KEV catalog, suggesting that, as of the last advisory, exploitation is not confirmed. The attack requires authentication, but once authenticated the attacker can direct internal traffic through the server with ordinary HTTP requests, making the flaw powerful for data exfiltration or lateral movement within the private network.

Generated by OpenCVE AI on May 15, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.5 or later
  • Restrict the web‑fetch and image‑load endpoints to accept only whitelisted domains or disable them if not required
  • Configure network segmentation or firewall rules to block outbound redirects to private IP ranges and monitor for suspicious redirect activity

Generated by OpenCVE AI on May 15, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rh5x-h6pp-cjj6 Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)
History

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5.
Title Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T20:37:29.248Z

Reserved: 2026-05-12T01:48:40.451Z

Link: CVE-2026-45401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T21:16:38.140

Modified: 2026-05-15T21:16:38.140

Link: CVE-2026-45401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T00:00:12Z

Weaknesses