Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
1. Executive summary A server-side request forgery (SSRF) vulnerability exists in Open WebUI's OAuth profile-picture handling that allows an attacker with a
18 Jun 2026 · 5 min read
read →