CVE-2026-34225

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.7.3

Description Open WebUI contains a Blind Server Side Request Forgery (SSRF) in the functionality used to edit an image via a prompt. The affected function performs a GET request to a user-provided URL without domain restrictions, enabling access to the local address space. Because the SSRF is blind, the response cannot be read, but the issue allows for port scanning of the local network by analyzing whether the GET request succeeds or fails. If a service on an open port is identified, an attacker may interact with it if that service provides state-changing GET request endpoints.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.