CVE-2026-45338: Open WebUI SSRF Vulnerability Exposes Internal Resources

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
CVE-2026-45338: Open WebUI SSRF Vulnerability Exposes Internal Resources

The National Vulnerability Database has detailed CVE-2026-45338, a high-severity Server-Side Request Forgery (SSRF) vulnerability in Open WebUI, a self-hosted AI platform. Prior to version 0.9.0, the _process_picture_url() function in backend/open_webui/utils/oauth.py fails to properly validate URLs from OAuth picture claims. This critical oversight allows an attacker to manipulate the server into making HTTP requests to internal network resources.

This flaw enables attackers to exfiltrate full responses from internal systems, potentially exposing sensitive data or internal network topology. The vulnerability, rated with a CVSS score of 7.7 (HIGH), is particularly dangerous given Open WebUI’s design for offline operation, implying a higher expectation of internal isolation. The root cause is a classic CWE-918 (Server-Side Request Forgery) issue, where external input dictates server-side requests without adequate sanitization.

For defenders, this means an unpatched Open WebUI instance is a direct conduit into your internal network. Attackers can leverage this to map your infrastructure, bypass firewalls, and potentially access sensitive services not exposed to the internet. The fix is available in version 0.9.0, which presumably incorporates robust URL validation to prevent arbitrary URL fetching.

What This Means For You

  • If your organization uses Open WebUI, you need to immediately verify your deployed version. An unpatched instance (prior to 0.9.0) is a high-risk internal pivot point. Prioritize patching to version 0.9.0 or later to mitigate CVE-2026-45338 and block potential SSRF attacks against your internal resources. Audit your network logs for any unusual outbound connections from your Open WebUI instance, especially to internal IP ranges, which could indicate exploitation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1571 Non-Standard Port Command and Control T1071.001 Web Protocol Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-45338: Open WebUI SSRF via OAuth Picture URL

Sigma YAML — free preview 
title: CVE-2026-45338: Open WebUI SSRF via OAuth Picture URL
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-45338 by sending a POST request to the /api/auth/login endpoint with a 'picture=' parameter in the query string. This parameter is used by the vulnerable _process_picture_url() function to fetch arbitrary URLs, including internal ones, leading to SSRF.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45338/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/api/auth/login'
      cs-method|exact: 'POST'
      cs-uri-query|contains:
          - 'picture='
  selection_base:
      uri|contains:
          - '/api/auth/login'
  selection_indicators:
      cs-uri-query|contains:
          - 'picture='
  condition: selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45338 SSRF Open WebUI < 0.9.0
CVE-2026-45338 SSRF backend/open_webui/utils/oauth.py:_process_picture_url()
CVE-2026-45338 SSRF Missing validate_url() in OAuth picture claim processing

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Open WebUI XSS Allows Privilege Escalation to Super Admin

CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into...

vulnerabilityCVEmedium-severitycwe-200
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-45350: Open WebUI API Flaw Exposes Tools to Unauthorized Access

CVE-2026-45350 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma