CVE-2026-45331: Open WebUI Vulnerability Exposes Internal Networks

/HIGH /CVSS 8.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-918
CVE-2026-45331: Open WebUI Vulnerability Exposes Internal Networks

The National Vulnerability Database has detailed CVE-2026-45331, a critical vulnerability in Open WebUI, a self-hosted AI platform. This flaw, present in versions prior to 0.9.0, stems from an inadequate URL validation mechanism in the validate_url() function. Specifically, the validators library’s IPv6 check fails to properly implement the private keyword, leading to all IPv6 addresses bypassing the intended filter. This means internal IPv6 addresses are not correctly blocked.

Further compounding the issue, the vulnerability allows IPv4-mapped IPv6 addresses (e.g., ::ffff:10.0.0.1) to completely bypass IPv4 validation checks. Additionally, several reserved IPv4 ranges, including 0.0.0.0/8, 100.64.0.0/10, and 192.0.0.0/24, are not properly blocked. This combination creates a significant server-side request forgery (SSRF) risk, enabling attackers to access internal network resources or services that should be isolated.

With a CVSS score of 8.5 (HIGH), this vulnerability presents a clear path for an attacker to pivot from the Open WebUI instance into an organization’s internal network. The fix is available in Open WebUI version 0.9.0. Defenders must prioritize patching to mitigate the risk of unauthorized internal access.

What This Means For You

  • If your organization uses Open WebUI, this is a direct path for attackers to traverse your internal network. Immediately verify your Open WebUI version. If it's prior to 0.9.0, patch to 0.9.0 or later without delay. Review network logs for any suspicious outbound connections from your Open WebUI instance, especially to internal IP ranges that should not be accessible.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-45331: Open WebUI IPv6 Bypass in URL Validation

Sigma YAML — free preview 
title: CVE-2026-45331: Open WebUI IPv6 Bypass in URL Validation
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to exploit CVE-2026-45331 by leveraging IPv4-mapped IPv6 addresses to bypass URL validation in Open WebUI. The vulnerability allows attackers to access internal network resources by crafting specific IPv6 addresses that are not properly filtered by the validate_url() function. This detection specifically looks for the '::ffff:' prefix combined with a private IPv4 address range, indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45331/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '::ffff:'
      cs-uri|contains:
          - '10.0.0.1'
      condition: cs-uri
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45331 SSRF Open WebUI versions prior to 0.9.0
CVE-2026-45331 SSRF backend/open_webui/retrieval/web/utils.py validate_url() function
CVE-2026-45331 SSRF IPv6 addresses bypassing validation due to validators.ipv6(ip, private=True) misconfiguration
CVE-2026-45331 SSRF IPv4-mapped IPv6 (::ffff:10.0.0.1) bypassing IPv4 checks
CVE-2026-45331 SSRF Reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24) not blocked

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE

CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial...

vulnerabilityCVEhigh-severityuse-after-freecwe-416
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition

CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...

vulnerabilityCVEhigh-severitycwe-269cwe-362
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI

CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /8 /⚑ 4 IOCs /⚙ 3 Sigma