Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft `path` values containing encoded `../` traversal sequences that escape the intended path (or policy) scope on that server, reaching unintended endpoints and files on the terminal-server host. Where the terminal server fans requests out to internal services, this also gives SSRF-style reach into those services. This is a separate code path from the `/api/v1/retrieval/process/web` SSRF (GHSA-c6xv-rcvw-v685), with its own input. Two distinct vectors are consolidated here: first, raw path forwarding / single-encoded traversal (original report); and second, a bypass of the subsequently-added `_sanitize_proxy_path` mitigation using double-encoded dots (`%252e%252e`). The attacker-controlled input is the request `path`, supplied by the non-admin user, not anything an administrator configures, so this is not an admin-trust / Rule-9 situation. Version 0.9.6 fixes the issue.
Published: 2026-06-18
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user who has terminal server access can craft path values that include encoded "../" traversal sequences, bypassing the intended path restrictions on the terminal server. The untrusted input is the request path parameter, not an administrator‑configured value, which means the attack relies on user‑controlled data. The flaw permits reading or modifying files on the terminal‑server host and, where the server forwards requests to internal services, it also allows SSRF. The vulnerability originates from weaknesses in input validation and path handling (CWE-22 and CWE-918) and could enable attackers to compromise confidentiality, integrity, and potentially execute malicious code on the server.

Affected Systems

The issue affects all versions of the open-webui open-webui product released prior to 0.9.6. The problem was remedied in release 0.9.6 by adding proper path sanitization. Users of earlier releases should verify their instance version to determine exposure.

Risk and Exploitability

With a CVSS score of 7.7 the flaw is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Because exploitation requires an authenticated user with terminal‑server privileges, the threat is limited to those accounts. The attacker supplies a specially crafted path in the terminal‑server request, thus the vector is through the web UI. If an attacker can gain terminal‑server access, the risk of unauthorized file disclosure or SSRF is significant.

Generated by OpenCVE AI on June 18, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the open-webui software to version 0.9.6 or later, which implements proper path sanitization.
  • If upgrading is not immediately possible, restrict terminal‑server access to a minimal set of trusted users and monitor traffic for unusual path patterns that could indicate traversal attempts.
  • Additionally, consider disabling or hardening the reverse‑proxy path handling by enforcing an administrator‑defined whitelist of acceptable paths or disabling proxy forwarding for non‑trusted users.

Generated by OpenCVE AI on June 18, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r2wg-2mcr-66rv Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft `path` values containing encoded `../` traversal sequences that escape the intended path (or policy) scope on that server, reaching unintended endpoints and files on the terminal-server host. Where the terminal server fans requests out to internal services, this also gives SSRF-style reach into those services. This is a separate code path from the `/api/v1/retrieval/process/web` SSRF (GHSA-c6xv-rcvw-v685), with its own input. Two distinct vectors are consolidated here: first, raw path forwarding / single-encoded traversal (original report); and second, a bypass of the subsequently-added `_sanitize_proxy_path` mitigation using double-encoded dots (`%252e%252e`). The attacker-controlled input is the request `path`, supplied by the non-admin user, not anything an administrator configures, so this is not an admin-trust / Rule-9 situation. Version 0.9.6 fixes the issue.
Title Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
Weaknesses CWE-22
CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T21:09:07.606Z

Reserved: 2026-06-11T16:34:11.636Z

Link: CVE-2026-54017

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-918

    Server-Side Request Forgery (SSRF)