CVE-2026-45347: Open WebUI: blind SSRF via PDF export HTML injection

GHSA-f776-fp4w-266c MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 14, 2026
CISO Take

Open WebUI's PDF export endpoint accepts user-controlled HTML in the chat title field without sanitization, allowing any authenticated user to force the server to make outbound GET requests to arbitrary URLs. With 91 CVEs already catalogued against this package and broad enterprise adoption as a self-hosted LLM frontend, organizations face meaningful internal network reconnaissance exposure — an attacker with a valid session can map Ollama inference servers, vector databases, and internal APIs sitting behind the same host, using timing oracles and OAST callbacks to enumerate reachable services. No public exploit exists and the vulnerability is not in CISA KEV, but exploitation requires only a valid account and a single intercepted HTTP request. Upgrade to open-webui >= 0.5.11, which applies html.escape() to all user-controllable fields before they enter the PDF template renderer.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk overall, consistent with CVSS 4.3. PR:L means any authenticated user is a potential threat actor — critical in multi-tenant or shared Open WebUI deployments common in enterprise AI experimentation environments. Blind SSRF limits direct data exfiltration but enables internal network enumeration via timing and callback confirmation. No public PoC tool, Nuclei template, or active exploitation is recorded. Risk escalates significantly in deployments where the Open WebUI host has privileged LAN access to internal model inference servers, vector databases, or internal APIs, as SSRF becomes a reconnaissance primitive enabling higher-impact follow-on attacks.

How does the attack unfold?

Initial Access
Attacker authenticates to Open WebUI with any valid user account — no elevated privileges required — and navigates to an existing chat session.
AML.T0012
Exploitation
Attacker intercepts the POST /api/v1/utils/pdf request and injects an HTML img tag containing an attacker-controlled or internal network URL into the title field before the request reaches the server.
AML.T0049
Internal Reconnaissance
Open WebUI processes the unsanitized HTML title through fpdf2.write_html(), which triggers an outbound HTTP GET to the injected URL, allowing the attacker to confirm reachable internal endpoints via OAST callbacks and timing.
AML.T0006
Infrastructure Mapping
Attacker iterates across internal hostnames and ports to enumerate AI infrastructure (model servers, vector databases, embedding APIs) reachable from the Open WebUI host, establishing reconnaissance for follow-on lateral movement.
AML.T0075

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip < 0.5.11 0.5.11
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 8% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

5 steps
  1. Upgrade open-webui to >= 0.5.11 immediately — the fix applies html.escape() to all user-controllable fields (title, content, role, model, date) before they are passed to the fpdf2 HTML renderer, neutralizing the injection vector.

  2. If immediate patching is not possible, restrict or disable access to /api/v1/utils/pdf for non-administrative roles via reverse proxy ACLs.

  3. Implement egress filtering on the Open WebUI host to block outbound HTTP/HTTPS connections to internal RFC-1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

  4. Review network segmentation to ensure the Open WebUI host cannot reach internal model servers or sensitive APIs on arbitrary ports.

  5. Monitor web server logs for POST requests to /api/v1/utils/pdf containing HTML tag patterns in the title field as an indicator of exploitation attempts.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system design and development
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of AI systems over time
OWASP LLM Top 10
LLM05 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-45347?

Open WebUI's PDF export endpoint accepts user-controlled HTML in the chat title field without sanitization, allowing any authenticated user to force the server to make outbound GET requests to arbitrary URLs. With 91 CVEs already catalogued against this package and broad enterprise adoption as a self-hosted LLM frontend, organizations face meaningful internal network reconnaissance exposure — an attacker with a valid session can map Ollama inference servers, vector databases, and internal APIs sitting behind the same host, using timing oracles and OAST callbacks to enumerate reachable services. No public exploit exists and the vulnerability is not in CISA KEV, but exploitation requires only a valid account and a single intercepted HTTP request. Upgrade to open-webui >= 0.5.11, which applies html.escape() to all user-controllable fields before they enter the PDF template renderer.

Is CVE-2026-45347 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45347, increasing the risk of exploitation.

How to fix CVE-2026-45347?

1. Upgrade open-webui to >= 0.5.11 immediately — the fix applies html.escape() to all user-controllable fields (title, content, role, model, date) before they are passed to the fpdf2 HTML renderer, neutralizing the injection vector. 2. If immediate patching is not possible, restrict or disable access to /api/v1/utils/pdf for non-administrative roles via reverse proxy ACLs. 3. Implement egress filtering on the Open WebUI host to block outbound HTTP/HTTPS connections to internal RFC-1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). 4. Review network segmentation to ensure the Open WebUI host cannot reach internal model servers or sensitive APIs on arbitrary ports. 5. Monitor web server logs for POST requests to /api/v1/utils/pdf containing HTML tag patterns in the title field as an indicator of exploitation attempts.

What systems are affected by CVE-2026-45347?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, AI inference frontends, Enterprise self-hosted AI deployments, Multi-model AI orchestration environments.

What is the CVSS score for CVE-2026-45347?

CVE-2026-45347 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

LLM chat interfacesAI inference frontendsEnterprise self-hosted AI deploymentsMulti-model AI orchestration environments

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0049 Exploit Public-Facing Application
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

### Summary Blind server side request forgery (SSRF) via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4. ### Details In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below. ### PoC Start a chat and export the PDF: ![grafik](https://github.com/user-attachments/assets/fbfc898d-b5fd-473f-8f6e-bdc9c7f130b7) Intercept the request and insert an `<img>` tag into the `title`: ```http POST /api/v1/utils/pdf HTTP/2 Host: domain.local //Some headers removed Content-Type: application/json Content-Length: 541 Te: trailers {"title":"<img src='https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com' />","messages":[{"id":"81f24589-384d-431c-a26c-5cd3382ac941","parentId":null,"childrenIds":["0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e"],"role":"user","content":"hallo","timestamp":1736932102,"models":["gpt-4o-POC"]},{"parentId":"81f24589-384d-431c-a26c-5cd3382ac941","id":"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e","childrenIds":[],"role":"assistant","content":"Hallo! Wie kann ich Ihnen helfen?","model":"gpt-4o-POC","modelName":"gpt-4o-POC","modelIdx":0,"userContext":null,"timestamp":1736932103,"done":true}]} ``` A HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com. ### Impact A user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests. ## Resolution Fixed in commit [167c8bf00](https://github.com/open-webui/open-webui/commit/167c8bf00d165af523acfc3b870749f6be6d3e57), first released in **v0.5.11** (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (`title`, `content`, `role`, `model`, formatted date) in `html.escape()` before the template f-string is fed to `fpdf2.write_html()`. The PoC payload `<img src='...' />` is escaped to `&lt;img src=&#x27;...&#x27; /&gt;` and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on `>= 0.5.11` are not affected.

Exploitation Scenario

A malicious insider or attacker with a compromised employee account in an enterprise Open WebUI deployment authenticates normally and initiates a chat export to PDF. Using Burp Suite, they intercept the POST request to /api/v1/utils/pdf and replace the title value with `<img src='http://ollama.internal:11434/api/tags' />`. The Open WebUI server — which has direct LAN connectivity to the internal Ollama inference backend — processes the unsanitized HTML and issues a GET request to the injected URL. The attacker uses a Burp Collaborator or similar OAST infrastructure to confirm callbacks, iterating through internal hostnames and ports to map the internal AI infrastructure. With this reconnaissance, they identify additional attack surfaces such as unauthenticated model management endpoints or misconfigured internal APIs.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities