Main Vulnerability Database SB2026042443

SB2026042443 - Server-Side Request Forgery (SSRF) in Open WebUI

Published: April 24, 2026

Security Bulletin ID SB2026042443

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34225)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose limited sensitive information.

The vulnerability exists due to server-side request forgery in the image edit functionality when processing a user-supplied image URL. A remote user can send a specially crafted request containing a URL to disclose limited sensitive information.

The issue is blind, so the response body cannot be read directly, but response differentials can be used to scan for open ports on the local network.

Remediation

Install update from vendor's website.

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-jgx9-jr5x-mvpv