CVE-2026-45401: open-webui: SSRF redirect bypass exposes internal services

GHSA-rh5x-h6pp-cjj6 HIGH PoC AVAILABLE CISA: TRACK*
Published May 14, 2026
CISO Take

Open WebUI up to 0.9.4 contains a Server-Side Request Forgery flaw where the URL validation function only inspects the initial submitted URL while downstream HTTP clients silently follow 3xx redirects to private IP ranges, RFC1918 space, and cloud metadata endpoints — five independent code paths are affected. A CISO should care immediately because the most dangerous path (Path 5) requires only a valid user account and a normal chat message containing an image_url field — no admin rights, no special feature flag, no special endpoint — making the blast radius every authenticated user in the deployment; in AWS environments with IMDSv1 enabled, successful exploitation yields temporary IAM credentials and full cloud account pivot. There is no CISA KEV listing yet and EPSS data is pending, but the advisory includes a working curl PoC and CVSS scope is Changed (8.5), meaning exploitation crosses the trust boundary from the app process into internal infrastructure. Patch to open-webui 0.9.5 immediately; if patching is blocked, enforce egress filtering to drop requests to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges at the network layer, and enforce IMDSv2 on all cloud instances running Open WebUI.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.5 with Changed scope, low complexity, low privilege, and no user interaction required. The most damaging exploitation path is reachable through the standard chat completion interface, meaning any user of a shared Open WebUI deployment is a potential threat actor. Cloud-hosted instances with IMDSv1 enabled face direct credential compromise; on-premise deployments face lateral movement into internal APIs, monitoring endpoints, and Kubernetes services. The package carries 91 prior CVEs, indicating a historically high vulnerability density that suggests exploitation infrastructure and attacker familiarity already exist.

How does the attack unfold?

Initial Access
Attacker authenticates to Open WebUI with any valid low-privilege user account — no admin rights, no special permissions required.
AML.T0012
SSRF Trigger
Attacker submits an attacker-controlled URL via the chat completion image_url field or /api/v1/retrieval/process/web endpoint; the URL points to an attacker-controlled redirect service.
AML.T0049
Redirect Follow to Internal Target
Open WebUI's HTTP client follows the 302 redirect to a private IP or cloud metadata endpoint (169.254.169.254) without re-running validate_url() on the Location header.
AML.T0037
Credential and Data Exfiltration
Internal service response — IAM credentials, internal API payloads, Kubernetes secrets — is returned in the API response body and collected by the attacker.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain Community pip No patch
140.3K OpenSSF 5.8 1.2K dependents Pushed 7d ago 57% patched ~48d to patch Full package profile →
Open WebUI pip <= 0.9.4 0.9.5
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

How severe is it?

CVSS 3.1
8.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 22% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I Low
A None

What should I do?

6 steps
  1. Patch: upgrade open-webui to 0.9.5 — this is the only complete fix.

  2. Network egress controls: block outbound HTTP from the Open WebUI process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 at the firewall or container network policy level.

  3. IMDSv2 enforcement: if deployed on AWS, require IMDSv2 (hop limit 1, token-required) to block metadata access even if SSRF succeeds.

  4. Access restriction: reduce Open WebUI access to vetted users only until patched; disable web retrieval and image-URL features if not operationally required.

  5. Detection: alert on outbound connections from the Open WebUI container/process to private IP space in your WAF, eBPF-based network monitor, or cloud flow logs.

  6. Dependency check: if running a custom fork, audit every HTTP client call site for allow_redirects=False and ensure validate_url() is called per redirect hop, not just on the initial URL.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk management
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45401?

Open WebUI up to 0.9.4 contains a Server-Side Request Forgery flaw where the URL validation function only inspects the initial submitted URL while downstream HTTP clients silently follow 3xx redirects to private IP ranges, RFC1918 space, and cloud metadata endpoints — five independent code paths are affected. A CISO should care immediately because the most dangerous path (Path 5) requires only a valid user account and a normal chat message containing an image_url field — no admin rights, no special feature flag, no special endpoint — making the blast radius every authenticated user in the deployment; in AWS environments with IMDSv1 enabled, successful exploitation yields temporary IAM credentials and full cloud account pivot. There is no CISA KEV listing yet and EPSS data is pending, but the advisory includes a working curl PoC and CVSS scope is Changed (8.5), meaning exploitation crosses the trust boundary from the app process into internal infrastructure. Patch to open-webui 0.9.5 immediately; if patching is blocked, enforce egress filtering to drop requests to 127.0.0.0/8, 169.254.0.0/16, and RFC1918 ranges at the network layer, and enforce IMDSv2 on all cloud instances running Open WebUI.

Is CVE-2026-45401 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45401, increasing the risk of exploitation.

How to fix CVE-2026-45401?

1. Patch: upgrade open-webui to 0.9.5 — this is the only complete fix. 2. Network egress controls: block outbound HTTP from the Open WebUI process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16 at the firewall or container network policy level. 3. IMDSv2 enforcement: if deployed on AWS, require IMDSv2 (hop limit 1, token-required) to block metadata access even if SSRF succeeds. 4. Access restriction: reduce Open WebUI access to vetted users only until patched; disable web retrieval and image-URL features if not operationally required. 5. Detection: alert on outbound connections from the Open WebUI container/process to private IP space in your WAF, eBPF-based network monitor, or cloud flow logs. 6. Dependency check: if running a custom fork, audit every HTTP client call site for allow_redirects=False and ensure validate_url() is called per redirect hop, not just on the initial URL.

What systems are affected by CVE-2026-45401?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines with web retrieval, LLM chat frontends, agent frameworks, cloud-hosted AI assistants, internal AI platforms with network proximity to sensitive services.

What is the CVSS score for CVE-2026-45401?

CVE-2026-45401 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 0.30%.

What is the AI security impact?

Affected AI Architectures

RAG pipelines with web retrievalLLM chat frontendsagent frameworkscloud-hosted AI assistantsinternal AI platforms with network proximity to sensitive services

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5.

Exploitation Scenario

An attacker with a standard Open WebUI account on a company-internal AI assistant sends a chat message: POST /api/chat/completions with a content part of type image_url pointing to https://attacker-server/redir, which returns HTTP 302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/prod-role. The Open WebUI aiohttp session pool follows the redirect with the default allow_redirects=True and fetches the IMDSv1 response. The IAM temporary credentials (AccessKeyId, SecretAccessKey, SessionToken) are base64-encoded and returned in the chat response body. The attacker extracts the credentials, calls aws sts get-caller-identity to confirm the role, and pivots into S3 buckets, RDS instances, or Secrets Manager — escalating from a chat interface login to cloud account compromise in under two minutes with no admin interaction and no network noise beyond a single outbound HTTP redirect.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Timeline

Published
May 14, 2026
Last Modified
May 15, 2026
First Seen
May 15, 2026

Related Vulnerabilities