CVE-2026-45331: open-webui: SSRF bypass exposes cloud IAM credentials
GHSA-4v7r-f4w8-8972 HIGH CISA: TRACK*open-webui's URL validation function silently accepts all IPv6 addresses — including IPv4-mapped IPv6 like ::ffff:169.254.169.254 — because the validators library ignores the private=True parameter and returns a falsy error instead of blocking the address. This directly bypasses the fix from CVE-2025-65958, meaning every deployment that applied that earlier patch is still fully exposed; in AWS, GCP, or Azure environments a single authenticated HTTP POST to /api/v1/retrieval/process/web with an IPv6-encoded cloud metadata URL can exfiltrate IAM role credentials and enable full cloud account takeover. With 91 prior CVEs in the open-webui package and no public exploit yet — though the PoC is trivial — the window before commodity tooling appears is short. Upgrade to open-webui 0.9.0 immediately; organizations that cannot patch should enforce IMDSv2 on cloud instances and add network-level egress controls blocking RFC 1918 and link-local ranges from the open-webui process.
What is the risk?
High risk (CVSS 8.5, Scope: Changed). Exploitable by any authenticated user with no special privileges beyond a valid session token, over the network, with no user interaction required. The changed scope indicator extends blast radius beyond open-webui itself to cloud infrastructure. The failed prior patch (CVE-2025-65958) means organizations with a false sense of remediation remain fully exposed. Cloud-hosted deployments face the highest immediate risk due to IMDSv1 metadata reachability enabling IAM credential theft.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.8.12 | 0.9.0 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade open-webui to version 0.9.0 immediately — the fix replaces validators library calls with Python stdlib ipaddress module which correctly handles IPv6, IPv4-mapped IPv6, and all reserved ranges.
-
Cloud hardening: Enable IMDSv2 (token-required metadata requests) on all EC2 and cloud instances running open-webui — this blocks IMDSv1 exploitation even if SSRF succeeds.
-
Network egress: Apply host-level or container-level firewall rules blocking outbound connections from the open-webui process to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 192.0.0.0/24, and ::1/128.
-
API restriction: If patching is delayed, temporarily disable or place behind additional authorization the /api/v1/retrieval/process/web and /api/v1/images/edit endpoints.
-
Detection: Alert on any outbound HTTP requests originating from the open-webui container or process to RFC 1918, link-local, or loopback address ranges.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45331?
open-webui's URL validation function silently accepts all IPv6 addresses — including IPv4-mapped IPv6 like ::ffff:169.254.169.254 — because the validators library ignores the private=True parameter and returns a falsy error instead of blocking the address. This directly bypasses the fix from CVE-2025-65958, meaning every deployment that applied that earlier patch is still fully exposed; in AWS, GCP, or Azure environments a single authenticated HTTP POST to /api/v1/retrieval/process/web with an IPv6-encoded cloud metadata URL can exfiltrate IAM role credentials and enable full cloud account takeover. With 91 prior CVEs in the open-webui package and no public exploit yet — though the PoC is trivial — the window before commodity tooling appears is short. Upgrade to open-webui 0.9.0 immediately; organizations that cannot patch should enforce IMDSv2 on cloud instances and add network-level egress controls blocking RFC 1918 and link-local ranges from the open-webui process.
Is CVE-2026-45331 actively exploited?
No confirmed active exploitation of CVE-2026-45331 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45331?
1. Patch: Upgrade open-webui to version 0.9.0 immediately — the fix replaces validators library calls with Python stdlib ipaddress module which correctly handles IPv6, IPv4-mapped IPv6, and all reserved ranges. 2. Cloud hardening: Enable IMDSv2 (token-required metadata requests) on all EC2 and cloud instances running open-webui — this blocks IMDSv1 exploitation even if SSRF succeeds. 3. Network egress: Apply host-level or container-level firewall rules blocking outbound connections from the open-webui process to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 192.0.0.0/24, and ::1/128. 4. API restriction: If patching is delayed, temporarily disable or place behind additional authorization the /api/v1/retrieval/process/web and /api/v1/images/edit endpoints. 5. Detection: Alert on any outbound HTTP requests originating from the open-webui container or process to RFC 1918, link-local, or loopback address ranges.
What systems are affected by CVE-2026-45331?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, AI chat interfaces, web retrieval systems, model serving.
What is the CVSS score for CVE-2026-45331?
CVE-2026-45331 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.29%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0075 Cloud Service Discovery AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
# SSRF Bypass via IPv6/IPv4-mapped IPv6/IPv4-reserved-ranges in `validate_url()` ## Summary `validate_url()` in `backend/open_webui/retrieval/web/utils.py` calls `validators.ipv6(ip, private=True)`, but the `validators` library does NOT implement the `private` keyword for IPv6 — the call raises a `ValidationError` (which is falsy in a boolean context), so every IPv6 address passes the filter. In addition, IPv4-mapped IPv6 (`::ffff:10.0.0.1`) bypasses the IPv4 check entirely, and several reserved IPv4 ranges (`0.0.0.0/8`, `100.64.0.0/10`, `192.0.0.0/24`, etc.) are not blocked. The vulnerability has existed since the `validate_url()` function was introduced and was NOT actually fixed by GHSA-c6xv-rcvw-v685 / CVE-2025-65958 despite that patch's intent. It affects every endpoint that calls `validate_url()`, including `/api/v1/retrieval/process/web`, `/api/v1/images/edit`, and others. ## Affected code `backend/open_webui/retrieval/web/utils.py validate_url()`: ```python if validators.ipv6(ip, private=True): # ValidationError is falsy — never raises raise ValueError(...) ``` ## Proof of concept ```python import validators print(validators.ipv6("::1", private=True)) # ValidationError(func=ipv6, args={'reason': "ipv6() got an unexpected keyword argument 'private'", ...}) ``` End-to-end exploit: ```python import requests, ipaddress OPEN_WEBUI_URL = "https://target" TOKEN = "..." TARGET_IPV4 = "169.254.169.254" # AWS IMDSv1 mapped = "::ffff:" + TARGET_IPV4 requests.post(f"{OPEN_WEBUI_URL}/api/v1/retrieval/process/web", headers={"Authorization": f"Bearer {TOKEN}"}, json={"collection_name": "", "url": f"http://[{mapped}]/latest/meta-data/iam/security-credentials/"}) ``` ## Impact Any authenticated user can reach any internal IPv4/IPv6 address from the server process — cloud metadata, localhost-bound APIs, internal services. IMDSv1 reachability leads to IAM credential exfiltration. ## Recommended fix Replace the `validators` library calls with stdlib `ipaddress`: ```python import ipaddress addr = ipaddress.ip_address(ip) if addr.is_private or addr.is_loopback or addr.is_link_local or addr.is_multicast or addr.is_reserved or addr.is_unspecified: raise ValueError(...) # also unwrap IPv4-mapped IPv6 and re-check: if isinstance(addr, ipaddress.IPv6Address) and addr.ipv4_mapped: addr_v4 = addr.ipv4_mapped if addr_v4.is_private or addr_v4.is_loopback or ...: raise ValueError(...) # plus explicit blocks for IANA reserved ranges (0.0.0.0/8, 100.64.0.0/10, etc. — see body for full list). ``` ## Related but separate advisories - Redirect-bypass cluster: GHSA-rh5x-h6pp-cjj6 - DNS rebinding TOCTOU: GHSA-h6x2-583h-x99r - urlparse / requests parsing-differential: GHSA-8w7q-q5jp-jvgx - Playwright loader redirect: GHSA-jrfp-m64g-pcwv - Missing `validate_url()` call in image_generations: GHSA-h7cc-wwjp-5xqh ## Credits - **Dor Konis (dkonis, GE Vernova)** — first to identify the `validators.ipv6(private=True)` silent-fail and IPv4-mapped IPv6 bypass; GHSA-4v7r-f4w8-8972 (this filing, 2024-09-11; credit explicitly requested in original report). - **wlayzz** — first to identify the unblocked IPv4 reserved ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.2.0/24, 198.18.0.0/15, 203.0.113.0/24, etc.); GHSA-pxgj-3gvh-mfjv. Subsequent filings (GHSA-mggf-94hh-vp4w by vnth4nhnt, GHSA-xhgr-g5q7-jg6p by L1M1T-HACK) re-described the same root cause on the same or different endpoints and were closed as duplicates without advisory credit — fixing `validate_url()` once resolves all of them.
Exploitation Scenario
An attacker with a valid open-webui account — a low-privileged user, trial account holder, or insider — sends a POST request to /api/v1/retrieval/process/web with the URL set to http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/. The validate_url() function calls validators.ipv6('::ffff:169.254.169.254', private=True), which silently returns a falsy ValidationError rather than raising a block, so the address clears all validation checks. The open-webui server fetches the URL server-side, hitting the AWS IMDSv1 endpoint and receiving the list of attached IAM role names. The attacker follows up to /latest/meta-data/iam/security-credentials/<role-name> to retrieve temporary AWS access keys, which are returned in the API response body. With those credentials the attacker pivots to S3 data exfiltration, Secrets Manager secret extraction, or EC2 lateral movement — achieving full cloud account compromise from a single authenticated HTTP call.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui