Open WebUI: Full SSRF Vulnerability in the RAG Web Search...

8.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip, private=True), but the validators library does NOT implement the private keyword for IPv6 — the call raises a ValidationError (which is falsy in a boolean context), so every IPv6 address passes the filter. In addition, IPv4-mapped IPv6 (::ffff:10.0.0.1) bypasses the IPv4 check entirely, and several reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, etc.) are not blocked. This vulnerability is fixed in 0.9.0.

AI Analysis

Full SSRF Vulnerability in the RAG Web Search Feature due to improper validation of URLs, allowing for bypass of IP filters

Basic Information

ID CVE-2026-45331

Source GitHub_M

Published May 15, 2026 at 19:22

Affected Product

Vendor open-webui

Product open-webui

Version < 0.9.0

Affected Versions open-webui open-webui < 0.9.0

CWE Classification

CWE-918

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor Open WebUI

Product Open WebUI

Version < 0.9.0

References

github.com /open-webui/open-webui/security/advisories/GHSA-4v7r-f4w8-8972

{
    "lastseen": "",
    "description": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip, private=True), but the validators library does NOT implement the private keyword for IPv6 \u2014 the call raises a ValidationError (which is falsy in a boolean context), so every IPv6 address passes the filter. In addition, IPv4-mapped IPv6 (::ffff:10.0.0.1) bypasses the IPv4 check entirely, and several reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, etc.) are not blocked. This vulnerability is fixed in 0.9.0.",
    "published": "2026-05-15T19:22:58.795Z",
    "modified": "2026-05-15T19:22:58.795Z",
    "type": "cve",
    "title": "Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature",
    "source": "GitHub_M",
    "references": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4v7r-f4w8-8972",
    "id": "CVE-2026-45331",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "open-webui open-webui < 0.9.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "open-webui",
    "version": "< 0.9.0",
    "vendor": "open-webui",
    "ai_description": "Full SSRF Vulnerability in the RAG Web Search Feature due to improper validation of URLs, allowing for bypass of IP filters",
    "ai_severity": "High",
    "ai_vendor": "Open WebUI",
    "ai_product": "Open WebUI",
    "ai_version": "< 0.9.0",
    "ai_score": 8.5
}

Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature_CVE-2026-45331