Path traversal in Open WebUI - CVE-2026-54017
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to access unintended endpoints and files on the terminal-server host and reach internal services via server-side request forgery.
The vulnerability exists due to path traversal in the terminal-server reverse proxy in backend/open_webui/routers/terminals.py when forwarding a user-controlled path segment to an admin-configured terminal server. A remote user can send a specially crafted request containing encoded traversal sequences to access unintended endpoints and files on the terminal-server host and reach internal services via server-side request forgery.
Exploitation requires that the user has been granted access to a terminal server, and the policy_id form can allow traversal outside the intended policy namespace.