CVE-2026-45347: Open WebUI: blind SSRF via PDF export HTML injection
GHSA-f776-fp4w-266c MEDIUM PoC AVAILABLE CISA: TRACK*Open WebUI's PDF export endpoint accepts user-controlled HTML in the chat title field without sanitization, allowing any authenticated user to force the server to make outbound GET requests to arbitrary URLs. With 91 CVEs already catalogued against this package and broad enterprise adoption as a self-hosted LLM frontend, organizations face meaningful internal network reconnaissance exposure — an attacker with a valid session can map Ollama inference servers, vector databases, and internal APIs sitting behind the same host, using timing oracles and OAST callbacks to enumerate reachable services. No public exploit exists and the vulnerability is not in CISA KEV, but exploitation requires only a valid account and a single intercepted HTTP request. Upgrade to open-webui >= 0.5.11, which applies html.escape() to all user-controllable fields before they enter the PDF template renderer.
What is the risk?
Medium risk overall, consistent with CVSS 4.3. PR:L means any authenticated user is a potential threat actor — critical in multi-tenant or shared Open WebUI deployments common in enterprise AI experimentation environments. Blind SSRF limits direct data exfiltration but enables internal network enumeration via timing and callback confirmation. No public PoC tool, Nuclei template, or active exploitation is recorded. Risk escalates significantly in deployments where the Open WebUI host has privileged LAN access to internal model inference servers, vector databases, or internal APIs, as SSRF becomes a reconnaissance primitive enabling higher-impact follow-on attacks.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | < 0.5.11 | 0.5.11 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade open-webui to >= 0.5.11 immediately — the fix applies html.escape() to all user-controllable fields (title, content, role, model, date) before they are passed to the fpdf2 HTML renderer, neutralizing the injection vector.
-
If immediate patching is not possible, restrict or disable access to /api/v1/utils/pdf for non-administrative roles via reverse proxy ACLs.
-
Implement egress filtering on the Open WebUI host to block outbound HTTP/HTTPS connections to internal RFC-1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
-
Review network segmentation to ensure the Open WebUI host cannot reach internal model servers or sensitive APIs on arbitrary ports.
-
Monitor web server logs for POST requests to /api/v1/utils/pdf containing HTML tag patterns in the title field as an indicator of exploitation attempts.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45347?
Open WebUI's PDF export endpoint accepts user-controlled HTML in the chat title field without sanitization, allowing any authenticated user to force the server to make outbound GET requests to arbitrary URLs. With 91 CVEs already catalogued against this package and broad enterprise adoption as a self-hosted LLM frontend, organizations face meaningful internal network reconnaissance exposure — an attacker with a valid session can map Ollama inference servers, vector databases, and internal APIs sitting behind the same host, using timing oracles and OAST callbacks to enumerate reachable services. No public exploit exists and the vulnerability is not in CISA KEV, but exploitation requires only a valid account and a single intercepted HTTP request. Upgrade to open-webui >= 0.5.11, which applies html.escape() to all user-controllable fields before they enter the PDF template renderer.
Is CVE-2026-45347 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-45347, increasing the risk of exploitation.
How to fix CVE-2026-45347?
1. Upgrade open-webui to >= 0.5.11 immediately — the fix applies html.escape() to all user-controllable fields (title, content, role, model, date) before they are passed to the fpdf2 HTML renderer, neutralizing the injection vector. 2. If immediate patching is not possible, restrict or disable access to /api/v1/utils/pdf for non-administrative roles via reverse proxy ACLs. 3. Implement egress filtering on the Open WebUI host to block outbound HTTP/HTTPS connections to internal RFC-1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). 4. Review network segmentation to ensure the Open WebUI host cannot reach internal model servers or sensitive APIs on arbitrary ports. 5. Monitor web server logs for POST requests to /api/v1/utils/pdf containing HTML tag patterns in the title field as an indicator of exploitation attempts.
What systems are affected by CVE-2026-45347?
This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, AI inference frontends, Enterprise self-hosted AI deployments, Multi-model AI orchestration environments.
What is the CVSS score for CVE-2026-45347?
CVE-2026-45347 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.19%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0006 Active Scanning AML.T0049 Exploit Public-Facing Application AML.T0075 Cloud Service Discovery Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Blind server side request forgery (SSRF) via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4. ### Details In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below. ### PoC Start a chat and export the PDF:  Intercept the request and insert an `<img>` tag into the `title`: ```http POST /api/v1/utils/pdf HTTP/2 Host: domain.local //Some headers removed Content-Type: application/json Content-Length: 541 Te: trailers {"title":"<img src='https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com' />","messages":[{"id":"81f24589-384d-431c-a26c-5cd3382ac941","parentId":null,"childrenIds":["0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e"],"role":"user","content":"hallo","timestamp":1736932102,"models":["gpt-4o-POC"]},{"parentId":"81f24589-384d-431c-a26c-5cd3382ac941","id":"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e","childrenIds":[],"role":"assistant","content":"Hallo! Wie kann ich Ihnen helfen?","model":"gpt-4o-POC","modelName":"gpt-4o-POC","modelIdx":0,"userContext":null,"timestamp":1736932103,"done":true}]} ``` A HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com. ### Impact A user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests. ## Resolution Fixed in commit [167c8bf00](https://github.com/open-webui/open-webui/commit/167c8bf00d165af523acfc3b870749f6be6d3e57), first released in **v0.5.11** (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (`title`, `content`, `role`, `model`, formatted date) in `html.escape()` before the template f-string is fed to `fpdf2.write_html()`. The PoC payload `<img src='...' />` is escaped to `<img src='...' />` and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on `>= 0.5.11` are not affected.
Exploitation Scenario
A malicious insider or attacker with a compromised employee account in an enterprise Open WebUI deployment authenticates normally and initiates a chat export to PDF. Using Burp Suite, they intercept the POST request to /api/v1/utils/pdf and replace the title value with `<img src='http://ollama.internal:11434/api/tags' />`. The Open WebUI server — which has direct LAN connectivity to the internal Ollama inference backend — processes the unsanitized HTML and issues a GET request to the injected URL. The attacker uses a Burp Collaborator or similar OAST infrastructure to confirm callbacks, iterating through internal hostnames and ports to map the internal AI infrastructure. With this reconnaissance, they identify additional attack surfaces such as unauthenticated model management endpoints or misconfigured internal APIs.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui