Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then invokes aiohttp.ClientSession.get(picture_url, ...) without allow_redirects=False. aiohttp's default is allow_redirects=True, max_redirects=10; the function does not pass the project's AIOHTTP_CLIENT_ALLOW_REDIRECTS env constant either. An attacker with a valid OAuth IdP identity can therefore submit a public URL that 302-redirects to an internal address and read the internal response body via the attacker's own profile_image_url field. This vulnerability is fixed in 0.9.6.
Published: 2026-06-23
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI’s OAuth picture handling contains a server‑side request forgery flaw that arises during the processing of user‑supplied profile image URLs. The _process_picture_url routine validates only the initial URL, then performs an HTTP GET with aiohttp's defaults – redirects enabled (allow_redirects=True), a maximum of 10 hops – and does not honour the AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable. An attacker who has a legitimate OAuth IdP token can supply a public URL that issues a 302 redirect to an internal address; the backend follows the redirect, retrieves the internal resource, and embeds its body into the attacker’s profile image field. The result is internal data exposure without privilege escalation, identified as CWE‑918. The defect was addressed in Open WebUI 0.9.6.

Affected Systems

Open WebUI, a self‑hosted artificial intelligence platform. All deployments running a version older than 0.9.6 are affected by this SSRF flaw.

Risk and Exploitability

The CVSS score of 8.5 denotes high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must possess a valid OAuth IdP token and submit a crafted picture URL to trigger the SSRF. Once triggered, the attacker can read the content of internal services reachable from the backend via the internal redirect, without needing privilege escalation. This poses a significant risk to organizations that allow external OAuth integrations and expose internal network services.

Generated by OpenCVE AI on June 24, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.6 or later, which prevents following redirects in the picture URL routine.
  • If an upgrade is not immediately possible, configure the environment variable AIOHTTP_CLIENT_ALLOW_REDIRECTS to False or set a low maximum redirect limit to reduce the SSRF window.
  • Review and restrict OAuth IdP configurations to allow only trusted URLs for profile images or implement a whitelist to prevent malicious redirect chains.

Generated by OpenCVE AI on June 24, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-226f-f24g-524w Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
History

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then invokes aiohttp.ClientSession.get(picture_url, ...) without allow_redirects=False. aiohttp's default is allow_redirects=True, max_redirects=10; the function does not pass the project's AIOHTTP_CLIENT_ALLOW_REDIRECTS env constant either. An attacker with a valid OAuth IdP identity can therefore submit a public URL that 302-redirects to an internal address and read the internal response body via the attacker's own profile_image_url field. This vulnerability is fixed in 0.9.6.
Title Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url`
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:33:51.722Z

Reserved: 2026-06-11T16:34:11.635Z

Link: CVE-2026-54008

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:00:13Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)