GHSA-v376-5ppg-xp5vMediumCVSS 5.0

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1...

Published
July 1, 2026
Last Modified
July 1, 2026

🔗 CVE IDs covered (1)

📋 Description

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.

🔗 References (5)