ByteOS Network

NVD Vulnerability Details :

CVE-2026-45338

Received

Source-security-advisories@github.com

Published At-15 May, 2026 | 22:16

Updated At-15 May, 2026 | 23:16

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() in backend/open_webui/utils/oauth.py (line ~1338). The function fetches arbitrary URLs from OAuth picture claims without applying validate_url(), allowing an attacker to force the server to make HTTP requests to internal resources and exfiltrate the full response. This vulnerability is fixed in 0.9.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 7.7

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-918	Secondary	security-advisories@github.com

CWE ID: CWE-918

Type: Secondary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh	security-advisories@github.com	N/A
https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A

Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh

Source: security-advisories@github.com

Resource: N/A

Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-24c9-2m8q-qhmh

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History