Open-Webui (<= 0.9.4) — CraftedSignal Threat Feed

Open WebUI SSRF Vulnerability via URL Parsing Discrepancy (CVE-2026-45400)

hello@craftedsignal.io — Thu, 14 May 2026 20:37:19 +0000

Open WebUI versions 0.9.4 and earlier contain a server-side request forgery (SSRF) vulnerability (CVE-2026-45400) in the validate_url function. The vulnerability arises from inconsistent URL parsing between the urlparse and requests libraries. Specifically, urlparse may interpret a URL like http://127.0.0.1:6666\@1.1.1.1 as pointing to the public IP address 1.1.1.1, while the requests library interprets it as the internal IP address 127.0.0.1:6666. This discrepancy allows an attacker to bypass the intended URL validation and make unauthorized requests to internal resources. Successful exploitation can lead to information disclosure or further internal network compromise. The vulnerability was reported on May 14, 2026.

Attack Chain

The attacker crafts a malicious URL with the format http://127.0.0.1:6666\@public.ip.address.
The user provides the crafted URL to Open WebUI, which uses the validate_url function to validate the URL.
The validate_url function uses urllib.parse.urlparse to parse the hostname of the URL.
urllib.parse.urlparse incorrectly identifies the hostname as public.ip.address due to the presence of the @ symbol after the internal IP address.
The validation logic considers public.ip.address as a public IP and approves the URL.
The application then uses the requests.get function to make a request to the validated URL.
requests.get interprets the URL differently and sends the request to the internal IP address 127.0.0.1:6666.
The attacker successfully makes a request to the internal IP address, achieving SSRF and potentially gaining access to sensitive information or internal services.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-45400) in Open WebUI can allow an attacker to bypass URL validation and make unauthorized requests to internal resources. This may lead to information disclosure, access to internal services, or further compromise of the internal network. The severity is rated as high due to the potential for significant impact on confidentiality and integrity. Affected organizations may experience data breaches or service disruptions.

Recommendation

Upgrade to a patched version of Open WebUI that addresses the URL parsing discrepancy.
Deploy the Sigma rule Detect Open WebUI SSRF Attempt via Malicious URL to detect attempts to exploit this vulnerability.
Review and harden URL validation logic within the Open WebUI application to ensure consistent parsing across different libraries.
Implement network segmentation and access controls to limit the impact of potential SSRF vulnerabilities.

Open WebUI Stored XSS Vulnerability via OAuth Profile Picture

hello@craftedsignal.io — Thu, 14 May 2026 20:31:48 +0000

Open WebUI versions 0.9.4 and earlier are vulnerable to a stored cross-site scripting (XSS) attack due to improper validation of profile images when users sign in via OAuth. The application fetches a URL provided in the OAuth picture claim, infers the MIME type from the URL extension, and stores it as a data URI without proper sanitization. Specifically, an attacker can host a malicious SVG file and set their profile picture URL to that file. When a victim clicks the link to the attacker’s profile image, the browser executes the SVG code, potentially leading to account takeover by exfiltrating the victim’s JWT token. This vulnerability is similar to CVE-2025-64496 and CVE-2025-64495, which highlights trust boundary errors in Open WebUI.

Attack Chain

The attacker crafts a malicious SVG file containing JavaScript code to exfiltrate localStorage.token.
The attacker hosts the malicious SVG file on a publicly accessible server (e.g., https://attacker.example/p.svg).
The attacker configures their OAuth profile picture URL to point to the malicious SVG file.
The attacker signs in to Open WebUI via OAuth, triggering the application to fetch and store the SVG data URI as their profile image.
The attacker crafts a URL to their profile image endpoint (e.g., https://target.example/api/v1/users//profile/image) and shares it with a victim.
The authenticated victim clicks on the link.
The server serves the attacker-controlled SVG with Content-Type: image/svg+xml and Content-Disposition: inline.
The victim’s browser renders the SVG, executes the embedded JavaScript, and exfiltrates the victim’s JWT token to the attacker’s server.

Impact

Successful exploitation can lead to account takeover of any authenticated user who clicks the malicious link. The attacker can then access the victim’s chats, API keys, and potentially achieve remote code execution (RCE) via installed tools if the victim has the workspace.tools permission. Furthermore, the lack of SSRF protection allows an attacker to potentially read internal resources by pointing the picture claim at internal URLs.

Recommendation

Implement server-side MIME type validation in _process_picture_url (utils/oauth.py:1336-1345) to only allow image/png, image/jpeg, image/gif, and image/webp. Use the Content-Type response header instead of the URL extension.
Enforce a MIME whitelist in get_user_profile_image_by_id (routers/users.py:504-528) before building the StreamingResponse.
Apply the validate_profile_image_url validator at the model layer (Users.update_user_profile_image_url_by_id), not just at the Pydantic form layer, to ensure all profile image updates are validated.
Enable X-Content-Type-Options: nosniff and set a default Content Security Policy (CSP) to mitigate XSS attacks by setting the appropriate environment variables.

Open WebUI Cross-User File Access Vulnerability (CVE-2026-45402)

hello@craftedsignal.io — Thu, 14 May 2026 20:31:27 +0000

Open WebUI versions 0.9.4 and earlier are susceptible to a cross-user file access vulnerability. The vulnerability stems from a lack of proper authorization checks when handling user-supplied file_id values in the Folder Knowledge and Knowledge-Base Attach endpoints. An authenticated attacker can exploit this flaw to access and potentially overwrite files belonging to other users by manipulating folder knowledge or attaching malicious files to knowledge bases. The vulnerability was reported on May 14, 2026, and affects systems where Open WebUI is deployed. Exploitation requires knowledge of the victim’s file UUID, which, while not directly enumerable, may leak through normal usage patterns, such as chat sources, shared chat citations, URL paths, browser history, and export/share flows.

Attack Chain

The attacker authenticates to the Open WebUI application.
The attacker obtains the UUID of a target file belonging to another user through various means, such as shared chats, URL paths, or browser history.
The attacker crafts a POST request to the /api/v1/folders//update endpoint (Path 1) or /api/v1/knowledge//file/add endpoint (Path 2).
In Path 1, the attacker includes a data payload with a files array containing the victim’s file UUID, structured as {"data": {"files": [{"id": "", "type": "file"}]}}.
In Path 2, the attacker provides the victim file UUID as the file_id parameter in the request body: {"file_id":"$VICTIM_FILE_ID"}.
If exploiting path 2, the attacker creates a new knowledge base using the /api/v1/knowledge/create endpoint.
The server, lacking proper authorization checks on the file_id, attaches the victim’s file to the attacker’s folder or knowledge base.
The attacker can then access the victim’s file content through RAG flows (Path 1) or the /api/v1/files/{id}/content endpoint (Path 2) and, in Path 2, overwrite it using the /api/v1/files/{id}/data/content/update endpoint.

Impact

Successful exploitation of this vulnerability allows any authenticated user to read the contents of any other user’s private uploaded file, given knowledge of the file UUID. In the case of Path 2 (knowledge-base attach), the attacker can also overwrite the victim’s file content, leading to data tampering and potential misinformation. This can lead to unauthorized data access, data breaches, and integrity compromises. There is no direct availability impact, as the file rows are not deleted.

Recommendation

Apply the recommended fix by validating the supplied file_id against the caller’s read access before attaching the file in every writer function (backend/open_webui/routers/folders.py, backend/open_webui/routers/knowledge.py).
Deploy the Sigma rule Detect Open WebUI Knowledge Base File Add to detect exploitation attempts targeting the Knowledge-Base Attach endpoint (Path 2).
Deploy the Sigma rule Detect Open WebUI Folder Update with File Injection to detect exploitation attempts targeting the Folder Knowledge ingestion path (Path 1).
Upgrade to a patched version of Open WebUI that addresses CVE-2026-45402.