Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects (301/302) by default, an attacker can bypass the validation by providing a safe URL that redirects to a restricted internal network address (e.g., localhost, Docker container network, or Cloud Metadata). This allows the application to access internal services despite ENABLE_RAG_LOCAL_WEB_FETCH being set to False This vulnerability is fixed in 0.9.6.
Published: 2026-06-23
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI is a self‑hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.9.6, its SafePlaywrightURLLoader implemented a validate_url function that checks a user‑supplied URL’s IP address to prevent SSRF attacks. The validation, however, only applies to the initial URL. Because Playwright automatically follows HTTP redirects (301/302), an attacker can supply a seemingly safe external URL that redirects to a restricted internal network address such as localhost, a Docker container network, or cloud metadata. This bypasses the check and permits the application to access internal services even though ENABLE_RAG_LOCAL_WEB_FETCH is set to False. The vulnerability was fixed in 0.9.6. This flaw enables Server‑Side Request Forgery (CWE‑918).

Affected Systems

All installations of Open WebUI running a version prior to 0.9.6 are affected. The issue exists in the open‑webui:open‑webui product. Upgrading to 0.9.6 or newer applies the fix that validates redirect targets.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. The vulnerability is exploitable by any remote user who can instruct the application to fetch a URL, a capability typically exposed through normal functionality. The issue is not recorded in CISA KEV. The straightforward redirect trick makes the vulnerability comparatively easy to use. The absence of an EPSS score means the current exploitation probability is unknown, but the high severity and simple attack vector elevate the overall risk.

Generated by OpenCVE AI on June 24, 2026 at 10:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.6 or newer, which includes the fixed SafePlaywrightURLLoader that validates redirect targets.
  • If an upgrade cannot be applied immediately, configure Playwright or the application to disable automatic HTTP redirect following, or enforce that redirects must not point to internal IP ranges.
  • Ensure that the ENABLE_RAG_LOCAL_WEB_FETCH setting remains disabled in production deployments to limit the ability of internal services to be accessed.

Generated by OpenCVE AI on June 24, 2026 at 10:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jrfp-m64g-pcwv Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
History

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects (301/302) by default, an attacker can bypass the validation by providing a safe URL that redirects to a restricted internal network address (e.g., localhost, Docker container network, or Cloud Metadata). This allows the application to access internal services despite ENABLE_RAG_LOCAL_WEB_FETCH being set to False This vulnerability is fixed in 0.9.6.
Title Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:56:11.400Z

Reserved: 2026-06-11T16:34:11.636Z

Link: CVE-2026-54018

cve-icon Vulnrichment

Updated: 2026-06-23T17:55:57.926Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:00:13Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)