CVE-2026-54018

HIGH

Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects

Title source: cna
STIX 2.1

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects (301/302) by default, an attacker can bypass the validation by providing a safe URL that redirects to a restricted internal network address (e.g., localhost, Docker container network, or Cloud Metadata). This allows the application to access internal services despite ENABLE_RAG_LOCAL_WEB_FETCH being set to False This vulnerability is fixed in 0.9.6.

References (1)

Core 1
Core References

Scores

CVSS v3 7.7
EPSS 0.0029
EPSS Percentile 20.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (2)
open-webui/open-webui < 0.9.6
openwebui/open_webui < 0.9.6
Published Jun 23, 2026
Tracked Since Jun 23, 2026