PatchSiren cyber security CVE debrief

CVE-2026-45401 Openwebui CVE debrief

CVE-2026-45401 is a high-severity server-side request forgery issue in Open WebUI before 0.9.5. The URL validation logic checks only the original user-supplied URL, while downstream HTTP clients follow redirects by default without re-checking the final destination. That allows an authenticated user to point the application at a public URL that redirects to an internal or metadata IP and retrieve the internal response body through affected web-fetch and image-fetch paths.

Vendor: Openwebui
Product: Open Webui
CVSS: HIGH 8.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-15
Original CVE updated: 2026-05-19
Advisory published: 2026-05-15
Advisory updated: 2026-05-19

Who should care

Administrators and security teams running self-hosted Open WebUI, especially instances that allow authenticated users to submit URLs for retrieval, image processing, or chat image handling. Any deployment that can reach internal services, localhost, RFC1918 ranges, or cloud metadata endpoints from the application server should treat this as urgent.

Technical summary

According to the supplied NVD record and vendor advisory reference, backend/open_webui/retrieval/web/utils.py validates only the initial URL. The sync requests client, async aiohttp client, and LangChain WebBaseLoader follow 3xx redirects by default, and the redirected target is not revalidated against the private-IP or metadata-IP block list. As a result, an authenticated user can trigger server-side fetching of an internal destination by first submitting a public URL that redirects to 127.0.0.1, 169.254.169.254, or an RFC1918 address. The issue affects routes that use these helpers, including /api/v1/retrieval/process/web, /api/v1/images/... endpoints, and /api/chat/completions when an image_url content part is involved.

Defensive priority

High. The flaw exposes internal network and metadata resources to authenticated users and can be used to read internal response bodies. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, scored 8.5 (High).

Recommended defensive actions

Upgrade Open WebUI to 0.9.5 or later.
Review which authenticated users can submit external URLs or image URLs, and restrict those features if they are not required.
Add outbound network egress controls so the application server cannot reach localhost, private RFC1918 ranges, or cloud metadata endpoints.
Verify that any custom integrations or forks revalidate redirect targets, not just the initial URL.
Monitor for unusual redirect chains or internal-address fetch attempts in application and proxy logs.

Evidence notes

This debrief is based only on the supplied CVE description, NVD metadata, and the linked GitHub security advisory reference. The supplied record states that the issue is fixed in 0.9.5, maps to CWE-918, and uses CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N. The provided timeline shows publication on 2026-05-15 and modification on 2026-05-19.

Official resources

CVE-2026-45401 CVE record
CVE.org
CVE-2026-45401 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory

Publicly disclosed in the vendor advisory and reflected in NVD on 2026-05-15; the record was last modified on 2026-05-19. The supplied data does not mark it as a CISA KEV item.