CVE-2026-45401 Overview
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. CVE-2026-45401 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting Open WebUI versions prior to 0.9.5. The validate_url() function in backend/open_webui/retrieval/web/utils.py checks only the initial URL submitted by the caller. Downstream HTTP clients follow 3xx redirects without re-validating targets against the private-IP and metadata-IP block list. Authenticated users can submit a public URL that redirects to internal addresses such as 127.0.0.1, 169.254.169.254, or RFC1918 ranges. The fix ships in version 0.9.5.
Critical Impact
Authenticated attackers can read internal network responses, including cloud metadata service content, by abusing redirect-following HTTP clients across multiple Open WebUI endpoints.
Affected Products
- Open WebUI versions prior to 0.9.5
- Endpoints calling validate_url(), including /api/v1/retrieval/process/web
- /api/v1/images/... endpoints and /api/chat/completions with image_url content parts
Discovery Timeline
- 2026-05-15 - CVE-2026-45401 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45401
Vulnerability Analysis
The vulnerability resides in Open WebUI's URL validation logic for outbound HTTP requests. The validate_url() helper in backend/open_webui/retrieval/web/utils.py inspects the user-supplied URL and rejects requests targeting private or link-local addresses. The validation is performed only once, before the HTTP client issues the request.
Open WebUI uses several HTTP clients downstream of this check: synchronous requests, asynchronous aiohttp, and langchain's WebBaseLoader. All three follow HTTP 3xx redirects by default. None re-invoke the block-list check against the redirect's Location header.
An authenticated user can host an attacker-controlled URL that responds with a 302 redirect to 127.0.0.1, 169.254.169.254, or any RFC1918 address. The response body of the internal request is returned to the caller through endpoints such as /api/v1/retrieval/process/web, the image-fetching routes under /api/v1/images/..., and /api/chat/completions when supplied with an image_url content part.
Root Cause
The root cause is incomplete validation across the request lifecycle. The block list applies only to the initial URL and is never re-evaluated after a redirect. The HTTP client libraries are used with default redirect-following behavior, which bypasses the intended security boundary.
Attack Vector
Exploitation requires authenticated access to the Open WebUI instance. The attacker submits a public URL pointing to a server they control. That server returns a 302 response with a Location header set to an internal target, such as a cloud instance metadata service. Open WebUI follows the redirect and returns the internal response body to the attacker. Refer to the GitHub Security Advisory GHSA-rh5x-h6pp-cjj6 for additional technical detail.
Detection Methods for CVE-2026-45401
Indicators of Compromise
- Outbound HTTP requests from the Open WebUI service followed immediately by connections to 127.0.0.1, 169.254.169.254, or RFC1918 addresses.
- Access log entries on /api/v1/retrieval/process/web, /api/v1/images/..., or /api/chat/completions containing external URLs that resolve to redirect responses.
- Unexpected reads of cloud instance metadata endpoints originating from the Open WebUI process.
Detection Strategies
- Inspect HTTP egress from Open WebUI hosts for 3xx responses immediately preceding connections to private IP ranges.
- Correlate authenticated API calls with downstream socket connections to link-local or loopback destinations.
- Audit Open WebUI request logs for URLs supplied by users that return HTTP redirects to non-public addresses.
Monitoring Recommendations
- Enable egress filtering and log all outbound traffic from Open WebUI containers or hosts.
- Alert on any request from the Open WebUI service to 169.254.169.254 or other metadata IPs.
- Track the rate of user-submitted URLs to web retrieval endpoints and flag accounts with anomalous volumes.
How to Mitigate CVE-2026-45401
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.5 or later, where the validation is enforced on redirect targets.
- Restrict network egress from the Open WebUI host so it cannot reach internal services or cloud metadata endpoints.
- Review authentication settings and disable self-registration if untrusted users can obtain accounts.
Patch Information
The vendor has released a fix in Open WebUI 0.9.5. Details are available in the Open WebUI GitHub Security Advisory GHSA-rh5x-h6pp-cjj6. Operators should redeploy from the patched container image or upgrade Python package installs to the fixed release.
Workarounds
- Place Open WebUI behind an egress proxy that blocks traffic to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges.
- Disable web retrieval and image URL features for non-administrative users until the upgrade is applied.
- Require IMDSv2 with session tokens on AWS so that metadata cannot be retrieved via simple GET requests.
# Configuration example: block private and metadata destinations at the host firewall
iptables -A OUTPUT -m owner --uid-owner openwebui -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openwebui -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
