CVE-2025-65958

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.37

Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. The vulnerability requires only basic authentication and does not require special permissions. The vulnerability is exploitable via making requests to arbitrary URLs through the server.

Recommendations Update to version 0.6.37 or later.