CVE-2026-45401

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5

Description The validate url() function in backend/open webui/retrieval/web/utils.py only validates the initial URL provided by the user. Downstream HTTP clients, including sync requests, async aiohttp, and langchain's WebBaseLoader, follow HTTP 3xx redirects by default without re-validating the redirect target against private or metadata IP block lists. This allows an authenticated user to submit a public URL that redirects to an internal address (such as 127.0.0.1, 169.254.169.254, or RFC1918) to read internal response bodies. This issue affects the following endpoints:

Technical exploitation involves the following vulnerable functions:

Recommendations Update to version 0.9.5. As a temporary workaround, restrict access to the '/api/v1/retrieval/process/web', '/api/v1/images/edit', and '/api/chat/completions' endpoints to minimize the risk of exploitation.