Main Vulnerability Database Vulnerabilities #VU127479

Server-Side Request Forgery (SSRF) in Open WebUI - CVE-2026-34225

Published: April 24, 2026

Vulnerability identifier: #VU127479

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34225

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose limited sensitive information.

The vulnerability exists due to server-side request forgery in the image edit functionality when processing a user-supplied image URL. A remote user can send a specially crafted request containing a URL to disclose limited sensitive information.

The issue is blind, so the response body cannot be read directly, but response differentials can be used to scan for open ports on the local network.

How to mitigate CVE-2026-34225

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-jgx9-jr5x-mvpv

Server-Side Request Forgery (SSRF) in Open WebUI - CVE-2026-34225

Detailed vulnerability description

How to mitigate CVE-2026-34225

Sources

Please verify you're human