CVE-2026-59223
Received Received - Intake

Path-Based Blocklist Bypass in Open WebUI

Vulnerability report for CVE-2026-59223, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
open_webui open_webui to 0.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-59223 vulnerability in Open WebUI is caused by improper hostname matching in the WEB_FETCH_FILTER_LIST functionality. The system used a suffix matching method (endswith) on full URL strings instead of strictly matching hostnames. This led to two main problems: blocklisted hosts with URL paths could bypass the filter because the path matched instead of the hostname, and malicious hostnames that ended with allowed strings could incorrectly pass the filter. For example, a blocklist entry like !internal.example.com failed to block URLs such as https://internal.example.com/x. Additionally, domains like evilcorp.com could bypass restrictions intended for corp.com due to non-label-boundary matching. The vulnerability was fixed by introducing a new function that performs exact hostname matching or checks for DNS label boundaries, ensuring proper filtering.

Impact Analysis

This vulnerability allows authenticated users to bypass host-based allow/block filters in Open WebUI, enabling them to trigger server-side web fetches to hosts that administrators intended to block. This can lead to potential content disclosure through server-side request forgery (SSRF) attacks. Although the primary SSRF protections that block non-global IP addresses remain effective, the bypass of hostname filtering can expose internal or sensitive hosts to unauthorized access or data leakage.

Detection Guidance

This vulnerability involves improper hostname matching in the WEB_FETCH_FILTER_LIST functionality, allowing bypasses through URL paths or sibling-domain matches. Detection involves identifying server-side web fetches to hosts that should be blocked but are allowed due to the flawed matching logic.

To detect this on your system, you can monitor or log web fetch requests made by Open WebUI, especially those targeting hosts that are supposed to be blocked by the filter list but are still accessed.

Suggested commands include inspecting logs or network traffic for requests to suspicious or blocklisted hosts with unexpected paths. For example, using tools like tcpdump or Wireshark to filter HTTP requests:

  • tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -E 'internal\.example\.com|evilcorp\.com|110\.0\.0\.1'
  • grep -r 'fetch' /path/to/open-webui/logs | grep -E 'internal.example.com|evilcorp.com|110.0.0.1'

Additionally, reviewing the configuration of WEB_FETCH_FILTER_LIST and testing with URLs that include paths or sibling domains can help identify if the vulnerable matching logic is in use.

Mitigation Strategies

The primary mitigation step is to upgrade Open WebUI to version 0.10.0 or later, where the vulnerability is fixed by replacing the flawed hostname matching logic with a strict DNS label boundary check.

If upgrading immediately is not possible, review and tighten the WEB_FETCH_FILTER_LIST configuration to minimize exposure, although this may not fully prevent bypasses due to the inherent logic flaw.

Additionally, monitor and restrict authenticated user actions that can trigger server-side web fetches to untrusted hosts, as the vulnerability allows authenticated users to bypass intended host blocks.

Ensure that other SSRF protections, such as blocking non-global IP addresses, remain enabled as they are unaffected by this issue.

Compliance Impact

The CVE-2026-59223 vulnerability in Open WebUI allows authenticated users to bypass hostname-based blocklists in the WEB_FETCH_FILTER_LIST functionality, potentially enabling server-side request forgery (SSRF) to hosts that administrators intended to block.

This could lead to unauthorized content disclosure or access to internal resources, which may impact the confidentiality of sensitive data.

Such unauthorized data access or disclosure could affect compliance with data protection regulations like GDPR or HIPAA, which require strict controls on access to personal or sensitive information.

However, the primary SSRF protection that blocks non-global IP addresses remains effective, limiting the scope of potential data exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart