CVE-2026-45400

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5

Description A parsing discrepancy between the urlparse and requests libraries allows for a Server-Side Request Forgery (SSRF) bypass. The validate url() function uses urlparse to verify the hostname; however, urlparse and requests interpret certain URL structures differently. For example, in a URL like http://127.0.0.1:6666@1.1.1.1, urlparse identifies the hostname as 1.1.1.1 (a public address), while requests treats the backslash as a path character and connects to 127.0.0.1 (an internal address), bypassing the validation logic.

Recommendations Update to version 0.9.5.