CVE-2026-45401: open-webui: SSRF redirect bypass exposes internal services
GHSA-rh5x-h6pp-cjj6 HIGH PoC AVAILABLE CISA: TRACK*Open WebUI up to 0.9.4 contains a Server-Side Request Forgery flaw where the URL validation function only inspects the initial submitted URL while downstream HTTP clients silently follow 3xx redirects to private IP ranges, RFC1918 space, and cloud metadata endpoints — five independent code paths are affected. A CISO should care immediately because the most dangerous path (Path 5) requires only a valid user account and a normal chat message containing an image_url field — no admin rights, no special feature flag, no special endpoint — making the blast radius every authenticated user in the deployment; in AWS environments with IMDSv1 enabled, successful exploitation yields temporary IAM credentials and full cloud account pivot. There is no CISA KEV listing yet and EPSS data is pending, but the advisory includes a working curl PoC and CVSS scope is Changed (8.5), meaning exploitation crosses the trust boundary from the app process into internal infrastructure. Patch to open-webui 0.9.5 immediately; if patching is blocked, enforce egress filtering to drop requests to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges at the network layer, and enforce IMDSv2 on all cloud instances running Open WebUI.
What is the risk?
High risk. CVSS 8.5 with Changed scope, low complexity, low privilege, and no user interaction required. The most damaging exploitation path is reachable through the standard chat completion interface, meaning any user of a shared Open WebUI deployment is a potential threat actor. Cloud-hosted instances with IMDSv1 enabled face direct credential compromise; on-premise deployments face lateral movement into internal APIs, monitoring endpoints, and Kubernetes services. The package carries 91 prior CVEs, indicating a historically high vulnerability density that suggests exploitation infrastructure and attacker familiarity already exist.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| LangChain Community | pip | — | No patch |
| Open WebUI | pip | <= 0.9.4 | 0.9.5 |
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: upgrade open-webui to 0.9.5 — this is the only complete fix.
-
Network egress controls: block outbound HTTP from the Open WebUI process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 at the firewall or container network policy level.
-
IMDSv2 enforcement: if deployed on AWS, require IMDSv2 (hop limit 1, token-required) to block metadata access even if SSRF succeeds.
-
Access restriction: reduce Open WebUI access to vetted users only until patched; disable web retrieval and image-URL features if not operationally required.
-
Detection: alert on outbound connections from the Open WebUI container/process to private IP space in your WAF, eBPF-based network monitor, or cloud flow logs.
-
Dependency check: if running a custom fork, audit every HTTP client call site for allow_redirects=False and ensure validate_url() is called per redirect hop, not just on the initial URL.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45401?
Open WebUI up to 0.9.4 contains a Server-Side Request Forgery flaw where the URL validation function only inspects the initial submitted URL while downstream HTTP clients silently follow 3xx redirects to private IP ranges, RFC1918 space, and cloud metadata endpoints — five independent code paths are affected. A CISO should care immediately because the most dangerous path (Path 5) requires only a valid user account and a normal chat message containing an image_url field — no admin rights, no special feature flag, no special endpoint — making the blast radius every authenticated user in the deployment; in AWS environments with IMDSv1 enabled, successful exploitation yields temporary IAM credentials and full cloud account pivot. There is no CISA KEV listing yet and EPSS data is pending, but the advisory includes a working curl PoC and CVSS scope is Changed (8.5), meaning exploitation crosses the trust boundary from the app process into internal infrastructure. Patch to open-webui 0.9.5 immediately; if patching is blocked, enforce egress filtering to drop requests to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges at the network layer, and enforce IMDSv2 on all cloud instances running Open WebUI.
Is CVE-2026-45401 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-45401, increasing the risk of exploitation.
How to fix CVE-2026-45401?
1. Patch: upgrade open-webui to 0.9.5 — this is the only complete fix. 2. Network egress controls: block outbound HTTP from the Open WebUI process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 at the firewall or container network policy level. 3. IMDSv2 enforcement: if deployed on AWS, require IMDSv2 (hop limit 1, token-required) to block metadata access even if SSRF succeeds. 4. Access restriction: reduce Open WebUI access to vetted users only until patched; disable web retrieval and image-URL features if not operationally required. 5. Detection: alert on outbound connections from the Open WebUI container/process to private IP space in your WAF, eBPF-based network monitor, or cloud flow logs. 6. Dependency check: if running a custom fork, audit every HTTP client call site for allow_redirects=False and ensure validate_url() is called per redirect hop, not just on the initial URL.
What systems are affected by CVE-2026-45401?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines with web retrieval, LLM chat frontends, agent frameworks, cloud-hosted AI assistants, internal AI platforms with network proximity to sensitive services.
What is the CVSS score for CVE-2026-45401?
CVE-2026-45401 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.30%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0075 Cloud Service Discovery Compliance Controls Affected
What are the technical details?
Original Advisory
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5.
Exploitation Scenario
An attacker with a standard Open WebUI account on a company-internal AI assistant sends a chat message: POST /api/chat/completions with a content part of type image_url pointing to https://attacker-server/redir, which returns HTTP 302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/prod-role. The Open WebUI aiohttp session pool follows the redirect with the default allow_redirects=True and fetches the IMDSv1 response. The IAM temporary credentials (AccessKeyId, SecretAccessKey, SessionToken) are base64-encoded and returned in the chat response body. The attacker extracts the credentials, calls aws sts get-caller-identity to confirm the role, and pivots into S3 buckets, RDS instances, or Secrets Manager — escalating from a chat interface login to cloud account compromise in under two minutes with no admin interaction and no network noise beyond a single outbound HTTP redirect.
Weaknesses (CWE)
CWE-918 Server-Side Request Forgery (SSRF)
Primary
CWE-918 Server-Side Request Forgery (SSRF)
Primary
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui