CVE-2026-54008
Undergoing Analysis Undergoing Analysis - In Progress
Open WebUI Open Redirect to Internal SSRF

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then invokes aiohttp.ClientSession.get(picture_url, ...) without allow_redirects=False. aiohttp's default is allow_redirects=True, max_redirects=10; the function does not pass the project's AIOHTTP_CLIENT_ALLOW_REDIRECTS env constant either. An attacker with a valid OAuth IdP identity can therefore submit a public URL that 302-redirects to an internal address and read the internal response body via the attacker's own profile_image_url field. This vulnerability is fixed in 0.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54008
EUVD
EUVD-2026-38534
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open_webui open_webui to 0.9.6 (exc)
open_webui open_webui 0.9.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54008 is a Server-Side Request Forgery (SSRF) vulnerability in the Open WebUI application, specifically in the OAuth _process_picture_url function.

The vulnerability occurs because the function validates only the initial URL but does not prevent redirects when fetching the profile image URL. Since aiohttp.ClientSession.get() is called without disabling redirects, an attacker with a valid OAuth identity can submit a public URL that redirects (via HTTP 302) to an internal address.

This allows the attacker to read internal responses from services that are normally inaccessible externally by having the internal response returned as their profile image URL content.

The issue affects Open WebUI versions 0.9.5 and earlier and is fixed in version 0.9.6 by properly controlling redirects.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive internal information by allowing an attacker to read internal service responses that should be protected.

An attacker with a valid OAuth identity can exploit this SSRF to access internal infrastructure such as cloud metadata services, localhost-bound services, or other RFC1918 internal network resources.

The impact includes a high confidentiality breach (CVSS score 8.5), potentially exposing sensitive data that could be used for further attacks or information gathering.

Detection Guidance

This vulnerability can be detected by monitoring OAuth profile image URL fields for suspicious URLs that cause redirects to internal addresses. Since the exploit involves submitting a public URL that redirects internally, inspecting logs or network traffic for such redirect patterns can help identify attempts.

Commands to detect this might include searching application logs or network captures for OAuth profile image URL requests that result in 3xx HTTP status codes redirecting to internal IP ranges (e.g., 10.x.x.x, 192.168.x.x, 127.0.0.1).

  • Use grep or similar tools to find redirect URLs in logs: grep -E 'profile_image_url.*http.*' /path/to/logs
  • Use curl with verbose output to test URLs submitted as profile images for unexpected redirects: curl -v <profile_image_url>
  • Monitor network traffic for HTTP 3xx responses redirecting to internal IP addresses using tools like tcpdump or Wireshark.
Mitigation Strategies

The immediate mitigation is to upgrade Open WebUI to version 0.9.6 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, a temporary workaround involves modifying the code to explicitly set the aiohttp.ClientSession.get() call with allow_redirects=False or to implement manual redirect handling with re-validation of each redirect URL.

Additionally, review OAuth configurations such as ENABLE_OAUTH_SIGNUP and OAUTH_UPDATE_PICTURE_ON_LOGIN to limit exposure.

Compliance Impact

This vulnerability allows an attacker with a valid OAuth identity to perform Server-Side Request Forgery (SSRF), enabling them to access internal resources and read sensitive internal response data. Such unauthorized access to internal data can lead to confidentiality breaches.

Confidentiality breaches caused by this vulnerability could impact compliance with data protection regulations and standards such as GDPR and HIPAA, which require strict controls to protect sensitive and personal data from unauthorized access.

Therefore, exploitation of this vulnerability may result in violations of these regulations due to exposure of internal and potentially sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart