CVE-2026-54017
Received Received - Intake
Path Traversal in Open WebUI Terminal Server

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft `path` values containing encoded `../` traversal sequences that escape the intended path (or policy) scope on that server, reaching unintended endpoints and files on the terminal-server host. Where the terminal server fans requests out to internal services, this also gives SSRF-style reach into those services. This is a separate code path from the `/api/v1/retrieval/process/web` SSRF (GHSA-c6xv-rcvw-v685), with its own input. Two distinct vectors are consolidated here: first, raw path forwarding / single-encoded traversal (original report); and second, a bypass of the subsequently-added `_sanitize_proxy_path` mitigation using double-encoded dots (`%252e%252e`). The attacker-controlled input is the request `path`, supplied by the non-admin user, not anything an administrator configures, so this is not an admin-trust / Rule-9 situation. Version 0.9.6 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-54017
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open_webui open_webui to 0.9.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed in Open WebUI version 0.9.6. Immediate mitigation involves upgrading the Open WebUI platform to version 0.9.6 or later.

Executive Summary

This vulnerability exists in Open WebUI versions prior to 0.9.6, specifically in the terminal-server reverse proxy component located in `backend/open_webui/routers/terminals.py`. The issue is that the user-controlled `path` segment is not properly confined before being forwarded to an admin-configured terminal server.

An authenticated user with access to a terminal server can craft `path` values containing encoded directory traversal sequences (like `../`) that allow them to escape the intended path or policy scope on the terminal-server host. This means they can reach unintended endpoints and files.

Additionally, because the terminal server forwards requests to internal services, this vulnerability also enables Server-Side Request Forgery (SSRF)-style access to those internal services. There are two distinct attack vectors: one involving raw path forwarding with single-encoded traversal, and another bypassing a mitigation using double-encoded dots (`%252e%252e`).

The attacker-controlled input is the request `path` supplied by a non-admin user, not anything configured by an administrator. This vulnerability was fixed in version 0.9.6.

Impact Analysis

This vulnerability can have significant impacts if exploited:

  • An attacker with authenticated access to a terminal server can access files and endpoints on the terminal-server host that they should not be able to reach.
  • It enables Server-Side Request Forgery (SSRF)-style attacks, allowing the attacker to reach internal services that are normally protected from direct access.
  • This could lead to unauthorized information disclosure or further compromise of internal systems.
  • Because the vulnerability does not require admin privileges, it broadens the scope of potential attackers to any authenticated user with terminal server access.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart