CVE-2026-45331: open-webui: SSRF bypass exposes cloud IAM credentials

GHSA-4v7r-f4w8-8972 HIGH CISA: TRACK*
Published May 14, 2026
CISO Take

open-webui's URL validation function silently accepts all IPv6 addresses — including IPv4-mapped IPv6 like ::ffff:169.254.169.254 — because the validators library ignores the private=True parameter and returns a falsy error instead of blocking the address. This directly bypasses the fix from CVE-2025-65958, meaning every deployment that applied that earlier patch is still fully exposed; in AWS, GCP, or Azure environments a single authenticated HTTP POST to /api/v1/retrieval/process/web with an IPv6-encoded cloud metadata URL can exfiltrate IAM role credentials and enable full cloud account takeover. With 91 prior CVEs in the open-webui package and no public exploit yet — though the PoC is trivial — the window before commodity tooling appears is short. Upgrade to open-webui 0.9.0 immediately; organizations that cannot patch should enforce IMDSv2 on cloud instances and add network-level egress controls blocking RFC 1918 and link-local ranges from the open-webui process.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk (CVSS 8.5, Scope: Changed). Exploitable by any authenticated user with no special privileges beyond a valid session token, over the network, with no user interaction required. The changed scope indicator extends blast radius beyond open-webui itself to cloud infrastructure. The failed prior patch (CVE-2025-65958) means organizations with a false sense of remediation remain fully exposed. Cloud-hosted deployments face the highest immediate risk due to IMDSv1 metadata reachability enabling IAM credential theft.

How does the attack unfold?

Initial Access
Attacker authenticates to open-webui using a valid account (trial, low-privileged, or compromised user token) to obtain a bearer token for API calls.
AML.T0012
SSRF Exploitation
Attacker submits a POST to /api/v1/retrieval/process/web with an IPv4-mapped IPv6 URL (::ffff:169.254.169.254) targeting the cloud metadata service, bypassing validate_url() due to the silent validators library failure.
AML.T0049
Cloud Metadata Access
The open-webui server fetches the internal metadata URL server-side, reaching IMDSv1 and returning the list of attached IAM roles and their credential endpoints.
AML.T0075
Credential Exfiltration
Attacker retrieves temporary AWS IAM access keys from the metadata endpoint response and uses them to pivot to cloud services (S3, Secrets Manager, EC2) for full account compromise.
AML.T0106

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.12 0.9.0
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
8.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I Low
A None

What should I do?

5 steps
  1. Patch: Upgrade open-webui to version 0.9.0 immediately — the fix replaces validators library calls with Python stdlib ipaddress module which correctly handles IPv6, IPv4-mapped IPv6, and all reserved ranges.

  2. Cloud hardening: Enable IMDSv2 (token-required metadata requests) on all EC2 and cloud instances running open-webui — this blocks IMDSv1 exploitation even if SSRF succeeds.

  3. Network egress: Apply host-level or container-level firewall rules blocking outbound connections from the open-webui process to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 192.0.0.0/24, and ::1/128.

  4. API restriction: If patching is delayed, temporarily disable or place behind additional authorization the /api/v1/retrieval/process/web and /api/v1/images/edit endpoints.

  5. Detection: Alert on any outbound HTTP requests originating from the open-webui container or process to RFC 1918, link-local, or loopback address ranges.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms for sustaining AI risk management
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45331?

open-webui's URL validation function silently accepts all IPv6 addresses — including IPv4-mapped IPv6 like ::ffff:169.254.169.254 — because the validators library ignores the private=True parameter and returns a falsy error instead of blocking the address. This directly bypasses the fix from CVE-2025-65958, meaning every deployment that applied that earlier patch is still fully exposed; in AWS, GCP, or Azure environments a single authenticated HTTP POST to /api/v1/retrieval/process/web with an IPv6-encoded cloud metadata URL can exfiltrate IAM role credentials and enable full cloud account takeover. With 91 prior CVEs in the open-webui package and no public exploit yet — though the PoC is trivial — the window before commodity tooling appears is short. Upgrade to open-webui 0.9.0 immediately; organizations that cannot patch should enforce IMDSv2 on cloud instances and add network-level egress controls blocking RFC 1918 and link-local ranges from the open-webui process.

Is CVE-2026-45331 actively exploited?

No confirmed active exploitation of CVE-2026-45331 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45331?

1. Patch: Upgrade open-webui to version 0.9.0 immediately — the fix replaces validators library calls with Python stdlib ipaddress module which correctly handles IPv6, IPv4-mapped IPv6, and all reserved ranges. 2. Cloud hardening: Enable IMDSv2 (token-required metadata requests) on all EC2 and cloud instances running open-webui — this blocks IMDSv1 exploitation even if SSRF succeeds. 3. Network egress: Apply host-level or container-level firewall rules blocking outbound connections from the open-webui process to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10, 192.0.0.0/24, and ::1/128. 4. API restriction: If patching is delayed, temporarily disable or place behind additional authorization the /api/v1/retrieval/process/web and /api/v1/images/edit endpoints. 5. Detection: Alert on any outbound HTTP requests originating from the open-webui container or process to RFC 1918, link-local, or loopback address ranges.

What systems are affected by CVE-2026-45331?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, AI chat interfaces, web retrieval systems, model serving.

What is the CVSS score for CVE-2026-45331?

CVE-2026-45331 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesAI chat interfacesweb retrieval systemsmodel serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0075 Cloud Service Discovery
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

# SSRF Bypass via IPv6/IPv4-mapped IPv6/IPv4-reserved-ranges in `validate_url()` ## Summary `validate_url()` in `backend/open_webui/retrieval/web/utils.py` calls `validators.ipv6(ip, private=True)`, but the `validators` library does NOT implement the `private` keyword for IPv6 — the call raises a `ValidationError` (which is falsy in a boolean context), so every IPv6 address passes the filter. In addition, IPv4-mapped IPv6 (`::ffff:10.0.0.1`) bypasses the IPv4 check entirely, and several reserved IPv4 ranges (`0.0.0.0/8`, `100.64.0.0/10`, `192.0.0.0/24`, etc.) are not blocked. The vulnerability has existed since the `validate_url()` function was introduced and was NOT actually fixed by GHSA-c6xv-rcvw-v685 / CVE-2025-65958 despite that patch's intent. It affects every endpoint that calls `validate_url()`, including `/api/v1/retrieval/process/web`, `/api/v1/images/edit`, and others. ## Affected code `backend/open_webui/retrieval/web/utils.py validate_url()`: ```python if validators.ipv6(ip, private=True): # ValidationError is falsy — never raises raise ValueError(...) ``` ## Proof of concept ```python import validators print(validators.ipv6("::1", private=True)) # ValidationError(func=ipv6, args={'reason': "ipv6() got an unexpected keyword argument 'private'", ...}) ``` End-to-end exploit: ```python import requests, ipaddress OPEN_WEBUI_URL = "https://target" TOKEN = "..." TARGET_IPV4 = "169.254.169.254" # AWS IMDSv1 mapped = "::ffff:" + TARGET_IPV4 requests.post(f"{OPEN_WEBUI_URL}/api/v1/retrieval/process/web", headers={"Authorization": f"Bearer {TOKEN}"}, json={"collection_name": "", "url": f"http://[{mapped}]/latest/meta-data/iam/security-credentials/"}) ``` ## Impact Any authenticated user can reach any internal IPv4/IPv6 address from the server process — cloud metadata, localhost-bound APIs, internal services. IMDSv1 reachability leads to IAM credential exfiltration. ## Recommended fix Replace the `validators` library calls with stdlib `ipaddress`: ```python import ipaddress addr = ipaddress.ip_address(ip) if addr.is_private or addr.is_loopback or addr.is_link_local or addr.is_multicast or addr.is_reserved or addr.is_unspecified: raise ValueError(...) # also unwrap IPv4-mapped IPv6 and re-check: if isinstance(addr, ipaddress.IPv6Address) and addr.ipv4_mapped: addr_v4 = addr.ipv4_mapped if addr_v4.is_private or addr_v4.is_loopback or ...: raise ValueError(...) # plus explicit blocks for IANA reserved ranges (0.0.0.0/8, 100.64.0.0/10, etc. — see body for full list). ``` ## Related but separate advisories - Redirect-bypass cluster: GHSA-rh5x-h6pp-cjj6 - DNS rebinding TOCTOU: GHSA-h6x2-583h-x99r - urlparse / requests parsing-differential: GHSA-8w7q-q5jp-jvgx - Playwright loader redirect: GHSA-jrfp-m64g-pcwv - Missing `validate_url()` call in image_generations: GHSA-h7cc-wwjp-5xqh ## Credits - **Dor Konis (dkonis, GE Vernova)** — first to identify the `validators.ipv6(private=True)` silent-fail and IPv4-mapped IPv6 bypass; GHSA-4v7r-f4w8-8972 (this filing, 2024-09-11; credit explicitly requested in original report). - **wlayzz** — first to identify the unblocked IPv4 reserved ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.2.0/24, 198.18.0.0/15, 203.0.113.0/24, etc.); GHSA-pxgj-3gvh-mfjv. Subsequent filings (GHSA-mggf-94hh-vp4w by vnth4nhnt, GHSA-xhgr-g5q7-jg6p by L1M1T-HACK) re-described the same root cause on the same or different endpoints and were closed as duplicates without advisory credit — fixing `validate_url()` once resolves all of them.

Exploitation Scenario

An attacker with a valid open-webui account — a low-privileged user, trial account holder, or insider — sends a POST request to /api/v1/retrieval/process/web with the URL set to http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/. The validate_url() function calls validators.ipv6('::ffff:169.254.169.254', private=True), which silently returns a falsy ValidationError rather than raising a block, so the address clears all validation checks. The open-webui server fetches the URL server-side, hitting the AWS IMDSv1 endpoint and receiving the list of attached IAM role names. The attacker follows up to /latest/meta-data/iam/security-credentials/<role-name> to retrieve temporary AWS access keys, which are returned in the API response body. With those credentials the attacker pivots to S3 data exfiltration, Secrets Manager secret extraction, or EC2 lateral movement — achieving full cloud account compromise from a single authenticated HTTP call.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities