CVE-2026-56399 PUBLISHED

Open WebUI - Server-Side Request Forgery via Location Redirect in /api/v1/retrieval/process/web

Assigner: VulnCheck
Reserved: 21.06.2026 Published: 30.06.2026 Updated: 01.07.2026

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor open-webui
Product open-webui
Versions Default: unaffected
  • affected from 0 to 0.6.27 (excl.)
  • Version 0.6.27 is unaffected

Credits

  • Mosstrow reporter

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE