CVE-2026-45401: Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints

Server-Side Request Forgery (SSRF) Bypass via HTTP Redirect Following in Web-Fetch, Image-Load, and Chat-Completion Endpoints

Summary

The validateurl() function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an imageurl content part, and any other route that calls these helpers.

Affected code paths

The bypass exists across multiple call sites; each independently follows redirects without re-validation.

Path 1 — sync scrape via SafeWebBaseLoader

backend/openwebui/retrieval/web/utils.py — SafeWebBaseLoader inherits from langchaincommunity.documentloaders.WebBaseLoader. The parent's scrape() calls self.session.get(url, self.requestskwargs). requestskwargs only sets timeout; allowredirects=False is not passed, so requests.Session.get() follows redirects with the default allowredirects=True. validateurl() is invoked once on the original URL only.

Path 2 — async fetch (aiohttp)

backend/openwebui/retrieval/web/utils.py — fetch() previously inherited the aiohttp default allowredirects=True. As of HEAD this path is fixed (allowredirects=False). Listed for completeness.

Path 3 — getcontentfromurl (sync requests.get)

backend/openwebui/retrieval/utils.py — response = requests.get(url, stream=True, timeout=30). No allowredirects=False. Reached via /api/v1/retrieval/process/web (file ingestion) and other routers that resolve external URLs.

Path 4 — loadurlimage (image edit)

backend/openwebui/routers/images.py — image-URL fetching helper used by the image-edit endpoint. Same pattern: validateurl() checks only the initial URL, the underlying HTTP client follows redirects without re-validation. Reachable via /api/v1/images/edit.

Path 5 — getimagebase64fromurl (chat-completion image inlining)

backend/openwebui/utils/files.py — getimagebase64fromurl() is invoked from converturlimagestobase64() in backend/openwebui/utils/middleware.py on every /api/chat/completions request whose message content includes an imageurl part. The shared aiohttp session pool (backend/openwebui/utils/sessionpool.py) does not override the aiohttp default allowredirects=True, and the call site itself does not pass allowredirects=False. This is the most reachable variant in the cluster: no special endpoint, no admin permission, no feature flag — any authenticated user can trigger it from a normal chat message.

Proof of concept

Authenticated low-privilege user; default config, no admin or special permissions required.

bash curl -X POST https://<target>/api/v1/retrieval/process/web \ -H "Authorization: Bearer <anyusertoken>" \ -H "Content-Type: application/json" \ -d '{"url": "https://httpbin.org/redirect-to?url=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fconfig&statuscode=302"}'

Response body contains the internal /api/config payload in file.data.content. Replace the redirect target with http://169.254.169.254/latest/meta-data/ for cloud metadata, or any internal hostname reachable from the server.

For the chat-completion path (Path 5), the same redirect is followed when an imageurl content part points to an attacker-controlled redirector:

bash curl -X POST https://<target>/api/chat/completions \ -H "Authorization: Bearer <anyusertoken>" \ -H "Content-Type: application/json" \ -d '{"model":"any","messages":[{"role":"user","content":[{"type":"text","text":"x"},{"type":"imageurl","imageurl":{"url":"http://attacker/redirect-to-imdsv1"}}]}]}'

Impact

Any authenticated user can read GET responses from any HTTP service reachable by the Open WebUI server process — cloud metadata services (IMDSv1 if available), localhost-bound application APIs, internal databases / monitoring / Kubernetes services, and VPN-bridged on-premise networks.

Recommended fix

For every call site that follows redirects, set allowredirects=False on the underlying HTTP client and add a per-hop validation loop using validateurl() on each Location: header.

Credits

Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.

- tenbbughunters — first to identify SafeWebBaseLoader sync scrape (Path 1) - YLChen-007 — first to identify loadurlimage (Path 4) - tempcollab — first to identify aiohttp fetch (Path 2) - sneaXOR — first to identify getcontentfromurl (Path 3) - nayakchinmohan — first to identify getimagebase64fromurl in chat-completion middleware (Path 5)