PT-2026-54047 · Openwebui · Open-Webui
Mosstrow
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-56399
CVSS v3.1
5.0
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open-Webui