CVE-2026-45331

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description A Server-Side Request Forgery (SSRF) bypass exists in the validate url() function located in backend/open webui/retrieval/web/utils.py. The function calls validators.ipv6(ip, private=True), but because the validators library does not implement the private keyword for IPv6, it raises a ValidationError. In a boolean context, this error is treated as falsy, allowing all IPv6 addresses to bypass the filter. Additionally, IPv4-mapped IPv6 addresses (e.g., ::ffff:10.0.0.1) bypass IPv4 checks, and several reserved IPv4 ranges, such as 0.0.0.0/8, 100.64.0.0/10, and 192.0.0.0/24, are not blocked. This allows authenticated users to access internal IPv4/IPv6 addresses, including cloud metadata, localhost-bound APIs, and internal services. Affected endpoints include '/api/v1/retrieval/process/web' and '/api/v1/images/edit'.

Recommendations Update to version 0.9.0. As a temporary workaround, restrict access to the '/api/v1/retrieval/process/web' and '/api/v1/images/edit' endpoints to minimize the risk of exploitation.