{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/open-webui--0.9.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.9.4)"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-45400","open-webui","web-application","github-advisory"],"_cs_type":"threat","_cs_vendors":["pip"],"content_html":"\u003cp\u003eOpen WebUI versions 0.9.4 and earlier contain a server-side request forgery (SSRF) vulnerability (CVE-2026-45400) in the \u003ccode\u003evalidate_url\u003c/code\u003e function. The vulnerability arises from inconsistent URL parsing between the \u003ccode\u003eurlparse\u003c/code\u003e and \u003ccode\u003erequests\u003c/code\u003e libraries. Specifically, \u003ccode\u003eurlparse\u003c/code\u003e may interpret a URL like \u003ccode\u003ehttp://127.0.0.1:6666\\@1.1.1.1\u003c/code\u003e as pointing to the public IP address \u003ccode\u003e1.1.1.1\u003c/code\u003e, while the \u003ccode\u003erequests\u003c/code\u003e library interprets it as the internal IP address \u003ccode\u003e127.0.0.1:6666\u003c/code\u003e. This discrepancy allows an attacker to bypass the intended URL validation and make unauthorized requests to internal resources. Successful exploitation can lead to information disclosure or further internal network compromise. The vulnerability was reported on May 14, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL with the format \u003ccode\u003ehttp://127.0.0.1:6666\\@public.ip.address\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user provides the crafted URL to Open WebUI, which uses the \u003ccode\u003evalidate_url\u003c/code\u003e function to validate the URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidate_url\u003c/code\u003e function uses \u003ccode\u003eurllib.parse.urlparse\u003c/code\u003e to parse the hostname of the URL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eurllib.parse.urlparse\u003c/code\u003e incorrectly identifies the hostname as \u003ccode\u003epublic.ip.address\u003c/code\u003e due to the presence of the \u003ccode\u003e@\u003c/code\u003e symbol after the internal IP address.\u003c/li\u003e\n\u003cli\u003eThe validation logic considers \u003ccode\u003epublic.ip.address\u003c/code\u003e as a public IP and approves the URL.\u003c/li\u003e\n\u003cli\u003eThe application then uses the \u003ccode\u003erequests.get\u003c/code\u003e function to make a request to the validated URL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erequests.get\u003c/code\u003e interprets the URL differently and sends the request to the internal IP address \u003ccode\u003e127.0.0.1:6666\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully makes a request to the internal IP address, achieving SSRF and potentially gaining access to sensitive information or internal services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-45400) in Open WebUI can allow an attacker to bypass URL validation and make unauthorized requests to internal resources. This may lead to information disclosure, access to internal services, or further compromise of the internal network. The severity is rated as high due to the potential for significant impact on confidentiality and integrity. Affected organizations may experience data breaches or service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Open WebUI that addresses the URL parsing discrepancy.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI SSRF Attempt via Malicious URL\u003c/code\u003e to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden URL validation logic within the Open WebUI application to ensure consistent parsing across different libraries.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the impact of potential SSRF vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:37:19Z","date_published":"2026-05-14T20:37:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-ssrf/","summary":"Open WebUI versions 0.9.4 and earlier are vulnerable to Server-Side Request Forgery (SSRF) due to a parsing difference between the urlparse and requests libraries in the `validate_url` function, allowing attackers to bypass URL validation and make requests to internal IP addresses.","title":"Open WebUI SSRF Vulnerability via URL Parsing Discrepancy (CVE-2026-45400)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-ssrf/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.3,"id":"CVE-2025-64496"},{"cvss":8.7,"id":"CVE-2025-64495"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.9.4)"],"_cs_severities":["high"],"_cs_tags":["xss","stored-xss","oauth","open-webui"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eOpen WebUI versions 0.9.4 and earlier are vulnerable to a stored cross-site scripting (XSS) attack due to improper validation of profile images when users sign in via OAuth. The application fetches a URL provided in the OAuth \u003ccode\u003epicture\u003c/code\u003e claim, infers the MIME type from the URL extension, and stores it as a data URI without proper sanitization. Specifically, an attacker can host a malicious SVG file and set their profile picture URL to that file. When a victim clicks the link to the attacker\u0026rsquo;s profile image, the browser executes the SVG code, potentially leading to account takeover by exfiltrating the victim\u0026rsquo;s JWT token. This vulnerability is similar to CVE-2025-64496 and CVE-2025-64495, which highlights trust boundary errors in Open WebUI.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious SVG file containing JavaScript code to exfiltrate \u003ccode\u003elocalStorage.token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious SVG file on a publicly accessible server (e.g., \u003ccode\u003ehttps://attacker.example/p.svg\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker configures their OAuth profile picture URL to point to the malicious SVG file.\u003c/li\u003e\n\u003cli\u003eThe attacker signs in to Open WebUI via OAuth, triggering the application to fetch and store the SVG data URI as their profile image.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a URL to their profile image endpoint (e.g., \u003ccode\u003ehttps://target.example/api/v1/users/\u0026lt;attacker-user-id\u0026gt;/profile/image\u003c/code\u003e) and shares it with a victim.\u003c/li\u003e\n\u003cli\u003eThe authenticated victim clicks on the link.\u003c/li\u003e\n\u003cli\u003eThe server serves the attacker-controlled SVG with \u003ccode\u003eContent-Type: image/svg+xml\u003c/code\u003e and \u003ccode\u003eContent-Disposition: inline\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser renders the SVG, executes the embedded JavaScript, and exfiltrates the victim\u0026rsquo;s JWT token to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to account takeover of any authenticated user who clicks the malicious link. The attacker can then access the victim\u0026rsquo;s chats, API keys, and potentially achieve remote code execution (RCE) via installed tools if the victim has the \u003ccode\u003eworkspace.tools\u003c/code\u003e permission. Furthermore, the lack of SSRF protection allows an attacker to potentially read internal resources by pointing the \u003ccode\u003epicture\u003c/code\u003e claim at internal URLs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement server-side MIME type validation in \u003ccode\u003e_process_picture_url\u003c/code\u003e (\u003ccode\u003eutils/oauth.py:1336-1345\u003c/code\u003e) to only allow \u003ccode\u003eimage/png\u003c/code\u003e, \u003ccode\u003eimage/jpeg\u003c/code\u003e, \u003ccode\u003eimage/gif\u003c/code\u003e, and \u003ccode\u003eimage/webp\u003c/code\u003e. Use the \u003ccode\u003eContent-Type\u003c/code\u003e response header instead of the URL extension.\u003c/li\u003e\n\u003cli\u003eEnforce a MIME whitelist in \u003ccode\u003eget_user_profile_image_by_id\u003c/code\u003e (\u003ccode\u003erouters/users.py:504-528\u003c/code\u003e) before building the \u003ccode\u003eStreamingResponse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply the \u003ccode\u003evalidate_profile_image_url\u003c/code\u003e validator at the model layer (\u003ccode\u003eUsers.update_user_profile_image_url_by_id\u003c/code\u003e), not just at the Pydantic form layer, to ensure all profile image updates are validated.\u003c/li\u003e\n\u003cli\u003eEnable \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e and set a default Content Security Policy (CSP) to mitigate XSS attacks by setting the appropriate environment variables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:31:48Z","date_published":"2026-05-14T20:31:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-xss/","summary":"Open WebUI is vulnerable to stored cross-site scripting (XSS) via OAuth profile picture handling, allowing an attacker to inject malicious SVG code and potentially takeover user accounts by exfiltrating JWT tokens.","title":"Open WebUI Stored XSS Vulnerability via OAuth Profile Picture","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.9.4)"],"_cs_severities":["high"],"_cs_tags":["open-webui","file-access","privilege-escalation","cve-2026-45402"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpen WebUI versions 0.9.4 and earlier are susceptible to a cross-user file access vulnerability. The vulnerability stems from a lack of proper authorization checks when handling user-supplied \u003ccode\u003efile_id\u003c/code\u003e values in the Folder Knowledge and Knowledge-Base Attach endpoints. An authenticated attacker can exploit this flaw to access and potentially overwrite files belonging to other users by manipulating folder knowledge or attaching malicious files to knowledge bases. The vulnerability was reported on May 14, 2026, and affects systems where Open WebUI is deployed. Exploitation requires knowledge of the victim\u0026rsquo;s file UUID, which, while not directly enumerable, may leak through normal usage patterns, such as chat sources, shared chat citations, URL paths, browser history, and export/share flows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Open WebUI application.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the UUID of a target file belonging to another user through various means, such as shared chats, URL paths, or browser history.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/v1/folders/\u0026lt;attacker_folder_id\u0026gt;/update\u003c/code\u003e endpoint (Path 1) or \u003ccode\u003e/api/v1/knowledge/\u0026lt;kb_id\u0026gt;/file/add\u003c/code\u003e endpoint (Path 2).\u003c/li\u003e\n\u003cli\u003eIn Path 1, the attacker includes a \u003ccode\u003edata\u003c/code\u003e payload with a \u003ccode\u003efiles\u003c/code\u003e array containing the victim\u0026rsquo;s file UUID, structured as \u003ccode\u003e{\u0026quot;data\u0026quot;: {\u0026quot;files\u0026quot;: [{\u0026quot;id\u0026quot;: \u0026quot;\u0026lt;victim_file_id\u0026gt;\u0026quot;, \u0026quot;type\u0026quot;: \u0026quot;file\u0026quot;}]}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn Path 2, the attacker provides the victim file UUID as the \u003ccode\u003efile_id\u003c/code\u003e parameter in the request body: \u003ccode\u003e{\u0026quot;file_id\u0026quot;:\u0026quot;$VICTIM_FILE_ID\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf exploiting path 2, the attacker creates a new knowledge base using the /api/v1/knowledge/create endpoint.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks on the \u003ccode\u003efile_id\u003c/code\u003e, attaches the victim\u0026rsquo;s file to the attacker\u0026rsquo;s folder or knowledge base.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access the victim\u0026rsquo;s file content through RAG flows (Path 1) or the \u003ccode\u003e/api/v1/files/{id}/content\u003c/code\u003e endpoint (Path 2) and, in Path 2, overwrite it using the \u003ccode\u003e/api/v1/files/{id}/data/content/update\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to read the contents of any other user\u0026rsquo;s private uploaded file, given knowledge of the file UUID. In the case of Path 2 (knowledge-base attach), the attacker can also overwrite the victim\u0026rsquo;s file content, leading to data tampering and potential misinformation. This can lead to unauthorized data access, data breaches, and integrity compromises. There is no direct availability impact, as the file rows are not deleted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by validating the supplied file_id against the caller\u0026rsquo;s read access before attaching the file in every writer function (backend/open_webui/routers/folders.py, backend/open_webui/routers/knowledge.py).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Knowledge Base File Add\u003c/code\u003e to detect exploitation attempts targeting the Knowledge-Base Attach endpoint (Path 2).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Folder Update with File Injection\u003c/code\u003e to detect exploitation attempts targeting the Folder Knowledge ingestion path (Path 1).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Open WebUI that addresses CVE-2026-45402.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:31:27Z","date_published":"2026-05-14T20:31:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-file-access/","summary":"Open WebUI is vulnerable to cross-user file access due to unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints, allowing authenticated users to exfiltrate or overwrite other users' private files given the file UUID (CVE-2026-45402).","title":"Open WebUI Cross-User File Access Vulnerability (CVE-2026-45402)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Open-Webui (\u003c= 0.9.4)","version":"https://jsonfeed.org/version/1.1"}