CVE-2026-45400: Open WebUI SSRF Bypass Vulnerability

CVE-2026-45400 Overview

CVE-2026-45400 is a Server-Side Request Forgery (SSRF) bypass vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The flaw stems from a parsing difference between the Python urlparse function and the requests library. Attackers with low privileges can exploit this URL parser differential to bypass SSRF protections and force the server to issue requests to unintended destinations. The vulnerability affects all versions prior to 0.9.5 and is tracked under CWE-918: Server-Side Request Forgery.

Critical Impact

Authenticated attackers can bypass URL validation to reach internal network resources, cloud metadata endpoints, and other restricted services accessible from the Open WebUI host.

Affected Products

• Open WebUI versions prior to 0.9.5
• Self-hosted Open WebUI deployments using URL-based fetching features
• Open WebUI instances exposed to authenticated user input

Discovery Timeline

• 2026-05-15 - CVE-2026-45400 published to NVD
• 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2026-45400

Vulnerability Analysis

The vulnerability arises from inconsistent URL parsing behavior between two Python components used inside Open WebUI. The validation logic uses urlparse from the standard library to inspect a user-supplied URL and determine whether the target host is safe. The outbound HTTP call is then performed by the requests library, which parses the same URL using different rules.

This differential allows an attacker to craft a URL that urlparse interprets as pointing to an allowed host, while requests resolves it to an internal or restricted destination. The validation and fetching stages disagree on what the URL means, enabling SSRF requests that the protection layer believes it has blocked. The flaw is fixed in Open WebUI version 0.9.5.

Root Cause

The root cause is a parser confusion condition between urlparse and the URL handling inside requests. Differences in how each library treats edge cases such as embedded credentials, unusual authority components, IPv6 brackets, or malformed host segments produce divergent host extraction. Security decisions made on one parser's output do not bind the network behavior of the other.

Attack Vector

An authenticated user submits a crafted URL to an Open WebUI feature that fetches remote content. The application validates the URL with urlparse, accepts it as external, and passes it to requests. The requests library then connects to an internal target such as 127.0.0.1, link-local addresses like 169.254.169.254, or other internal services. The server returns or processes the response, exposing internal data or enabling further lateral movement.

No verified exploit code is publicly available. Technical specifics are documented in the Open WebUI GitHub Security Advisory GHSA-8w7q-q5jp-jvgx.

Detection Methods for CVE-2026-45400

Indicators of Compromise

• Outbound HTTP requests from the Open WebUI process to RFC1918 addresses, loopback, or cloud metadata endpoints such as 169.254.169.254
• URLs in application logs containing unusual authority segments, embedded @ characters, or mixed host representations
• Unexpected access patterns in internal services originating from the Open WebUI host

Detection Strategies

• Inspect Open WebUI request logs for fetch operations targeting non-public IP ranges or cloud metadata services
• Compare the host parsed at validation time with the host actually contacted at the network layer to identify parser disagreement
• Alert on HTTP requests from AI platform hosts to internal infrastructure that should not be reachable from user-driven workflows

Monitoring Recommendations

• Capture egress network telemetry from the Open WebUI host and forward it to a centralized analytics platform for review
• Monitor authentication and request logs for low-privilege accounts performing repeated URL fetch operations
• Track version inventory for Open WebUI deployments to confirm all instances are at 0.9.5 or later

How to Mitigate CVE-2026-45400

Immediate Actions Required

• Upgrade Open WebUI to version 0.9.5 or later on all self-hosted instances
• Restrict outbound network access from Open WebUI hosts to only required destinations using firewall or egress proxy rules
• Block access from Open WebUI hosts to cloud instance metadata endpoints and internal management networks

Patch Information

The maintainers fixed CVE-2026-45400 in Open WebUI 0.9.5. The patch aligns URL handling so that the host validated by urlparse matches the host used by requests when issuing the outbound call. Review the GHSA-8w7q-q5jp-jvgx advisory for release notes and upgrade guidance.

Workarounds

• Place Open WebUI behind an egress proxy that enforces an allow-list of permitted external hostnames
• Deploy the application in a network segment that has no route to internal services or cloud metadata endpoints
• Disable or restrict user-facing features that perform server-side URL fetching until the upgrade is applied

# Example egress restriction using iptables to block metadata and RFC1918 access
iptables -A OUTPUT -m owner --uid-owner openwebui -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 127.0.0.0/8 -j REJECT