Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)

1. Executive summary

A server-side request forgery (SSRF) vulnerability exists in Open WebUI's OAuth profile-picture handling that allows an attacker with a valid OAuth identity provider (IdP) account to read internal services and cloud metadata. The flaw is in backend/open_webui/utils/oauth.py::_process_picture_url (v0.9.5, lines 1435-1470), which validates the initial URL but does not prevent the underlying aiohttp client from following HTTP 302 redirects to internal addresses. This is the sixth call site affected by the same redirect-bypass class as CVE-2026-45401, which the v0.9.5 patch missed. All Open WebUI deployments at version 0.9.5 or earlier with OAuth signup or login-picture-update enabled are affected. EMEA financial services firms using Open WebUI for AI chat interfaces, particularly those running it in cloud environments or alongside internal services, face credential theft risk via cloud metadata services and unauthorised access to localhost-bound services such as Ollama at port 11434.

2. Regulatory framing

3. Technical analysis & attack chain

Attack chain

1. Initial access – OAuth authentication: Attacker possesses a valid identity on the configured OAuth IdP (Google, Microsoft, GitHub, or generic OIDC). Open WebUI is configured with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true.
2. Malicious URL injection: Attacker sets their IdP picture claim to http://attacker.example/r, a public URL that returns HTTP 302 redirects to internal addresses.
3. Validation bypass: When the attacker signs in via OAuth, Open WebUI calls _process_picture_url("http://attacker.example/r", ...). The validate_url() function accepts the public URL (FQDN resolves to a global IP), but does not prevent redirect-following.
4. Redirect to internal target: The attacker's redirect endpoint responds with HTTP/1.1 302 Found\r\nLocation: http://127.0.0.1:11434/api/tags (or any internal address: cloud metadata at 169.254.169.254, RFC1918 services, etc.).
5. SSRF execution: aiohttp's default behaviour (allow_redirects=True, max_redirects=10) follows the redirect server-side without re-validating the target. The internal response body is read into memory.
6. Data exfiltration: The response body is base64-encoded and stored as profile_image_url = "data:image/jpeg;base64,..." on the attacker's account. The attacker retrieves it via GET /api/v1/auths/ and decodes the base64 payload to obtain the full internal response.

Technical specifics

Vulnerable component: backend/open_webui/utils/oauth.py::_process_picture_url (v0.9.5, lines 1435-1470)

Vulnerability mechanism: The function calls validate_url(picture_url) on the initial URL only, then invokes aiohttp.ClientSession.get(picture_url, ...) without passing allow_redirects=False. The aiohttp default is allow_redirects=True, max_redirects=10. The function does not import or reference the project's AIOHTTP_CLIENT_ALLOW_REDIRECTS environment constant that the five paths patched in CVE-2026-45401 use.

Call sites affected

• oauth.py:1556 – new-user OAuth signup
• oauth.py:1536 – existing-user picture update on login

Exploitation requirements

• ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true (common in production OAuth-IdP deployments)
• Valid OAuth IdP identity (any provider: Google, Microsoft, GitHub, or generic OIDC)

Impact scope

• Cloud metadata services: AWS IMDSv1 at 169.254.169.254, GCP metadata.google.internal, Azure IMDS → IAM credentials, managed-identity tokens
• Localhost-bound services: Ollama at :11434, Redis, Elasticsearch, internal Postgres exporters
• RFC1918 internal infrastructure: Any internal service not exposed to the internet

Distinction from related CVEs

• CVE-2026-45338: Original _process_picture_url SSRF with no validate_url() call at all; fixed in v0.9.0. Different mechanism.
• CVE-2026-45400: validate_url() parser-disagreement bypass on \@ characters; fixed in v0.9.5. Orthogonal mechanism.
• CVE-2026-45401: Parent cluster affecting five paths in retrieval, routers/images, utils/files, utils/middleware. Same CWE-918 redirect-bypass mechanism. utils/oauth.py::_process_picture_url is not among the five paths in the parent advisory. Same class, missed sink.

Proof of concept: Executed against ghcr.io/open-webui/open-webui:v0.9.5 in Docker compose with three services: attacker (OIDC IdP + 302-redirect endpoint), canary (internal target), and Open WebUI v0.9.5. Sentinel SSRF-POC-5580111b2a0d7d0c8324bfa92a0d9d09 was successfully exfiltrated via the profile_image_url field.

4. Mitigation & containment

P1 – Within 24 hours

1. Upgrade to Open WebUI v0.9.6 or later. The fix version 0.9.6 addresses this vulnerability. Verify the upgrade via the release notes or commit history.
2. Disable OAuth signup and picture-update features temporarily if immediate patching is not feasible: - Set ENABLE_OAUTH_SIGNUP=false - Set OAUTH_UPDATE_PICTURE_ON_LOGIN=false - This prevents the vulnerable code path from being triggered until patching is complete.
3. Network segmentation: If Open WebUI runs in a cloud environment, ensure IMDSv1 is disabled and IMDSv2 is enforced with hop-limit=1. This prevents SSRF-based credential theft even if the vulnerability is exploited.

P2 – Within 72 hours

4. Audit OAuth IdP configurations: Review which IdPs are configured and ensure that only trusted identity providers are allowed. Consider restricting OAuth signup to allowlisted email domains if business requirements permit.
5. Monitor for exploitation attempts: Review logs for OAuth login events followed by profile_image_url fields containing base64-encoded data longer than typical image sizes (>10KB suggests non-image content).
6. Restrict outbound network access: Implement egress filtering to prevent Open WebUI from reaching internal RFC1918 ranges and metadata service IPs unless explicitly required.

P3 – Within 7 days

7. Conduct a comprehensive security review of all Open WebUI deployments to identify other potential SSRF vectors, particularly in custom integrations or plugins.
8. Update incident response procedures to include SSRF scenarios involving cloud metadata services and internal service access.
9. Review third-party risk assessments per DORA Art. 28 to ensure Open WebUI's security posture is documented and contractual provisions address vulnerability disclosure timelines.

5. Indicators of compromise

string  SSRF-POC-5580111b2a0d7d0c8324bfa92a0d9d09
string  U1NSRi1QT0MtNTU4MDExMWIyYTBkN2QwYzgzMjRiZmE5MmEwZDlkMDk=
string  !!! SSRF HIT - sentinel served

6. Detection

Sigma rule

title: Open WebUI SSRF via OAuth Profile Picture Redirect
id: a7f3e9c2-4b8d-4e1f-9c5a-2e8f7b3d1a6e
description: Detects potential SSRF exploitation via OAuth profile picture URL with redirect to internal services
author: Adverse Trace
date: 2026-06-18
reference: https://github.com/advisories/GHSA-226f-f24g-524w
logsource:
  product: open-webui
  service: application
detection:
  selection:
    event_type: oauth_login
    profile_image_url|startswith: 'data:image/'
  filter:
    profile_image_url|contains: 'iVBORw0KGgo'  # Common PNG header in base64
  condition: selection and not filter
  timeframe: 5m
level: high
tags:

  - attack.initial_access
  - attack.t1190

YARA rule

rule OpenWebUI_SSRF_OAuth_Profile_Picture
{
    meta:
        author = "Adverse Trace"
        date = "2026-06-18"
        description = "Detects SSRF exploitation via Open WebUI OAuth profile picture redirect"
        reference = "https://github.com/advisories/GHSA-226f-f24g-524w"

    strings:
        $sentinel1 = "SSRF-POC-5580111b2a0d7d0c8324bfa92a0d9d09"
        $sentinel2 = "U1NSRi1QT0MtNTU4MDExMWIyYTBkN2QwYzgzMjRiZmE5MmEwZDlkMDk="
        $canary = "!!! SSRF HIT - sentinel served"

    condition:
        any of them
}

7. Sources

• GitHub Security Advisories — Open WebUI: Redirect-Bypass SSRF in OAuth _process_picture_url (incomplete-fix sibling of CVE-2026-45401) — https://github.com/advisories/GHSA-226f-f24g-524w — 2026-06-17
• GitHub Security Advisories — Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints — https://github.com/advisories/GHSA-rh5x-h6pp-cjj6 — (parent cluster)
• GitHub Security Advisories — Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects — https://github.com/advisories/GHSA-jrfp-m64g-pcwv — (related Playwright variant)
• GitHub Security Advisories — Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation — https://github.com/advisories/GHSA-j6w6-986j-2m2m — (related CSRF issue)

8. Adverse Trace position

This is a high-severity SSRF vulnerability in Open WebUI that enables cloud credential theft and internal service access with minimal attacker requirements (only a valid OAuth identity). The vulnerability is particularly concerning for EMEA financial services firms using Open WebUI in cloud environments or alongside internal services, as exploitation can lead to AWS/GCP/Azure credential compromise and unauthorised access to localhost-bound services. The fix is straightforward (upgrade to v0.9.6), but firms must also implement defence-in-depth measures including IMDSv2 enforcement, egress filtering, and monitoring for anomalous OAuth profile picture data. We will continue monitoring for exploitation attempts and will update this advisory if additional attack vectors or indicators emerge. Firms should prioritise patching and review their Open WebUI deployments for other potential SSRF sinks in custom configurations.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.