CVE-2026-54008
HighCVSS 8.5Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
In Open WebUI prior to version 0.9.6, a vulnerability allows an attacker with a valid OAuth identity to submit a public URL that redirects to an internal address. This enables the attacker to read the internal response from their own profile_image_url field.
Risk Assessment
The organization may be exposed to the disclosure of sensitive internal data, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade to version 0.9.6 or later to mitigate this vulnerability.
Original NVD description (English source)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then invokes aiohttp.ClientSession.get(picture_url, ...) without allow_redirects=False. aiohttp's default is allow_redirects=True, max_redirects=10; the function does not pass the project's AIOHTTP_CLIENT_ALLOW_REDIRECTS env constant either. An attacker with a valid OAuth IdP identity can therefore submit a public URL that 302-redirects to an internal address and read the internal response body via the attacker's own profile_image_url field. This vulnerability is fixed in 0.9.6.

