CVE-2025-65958

High CVSS: 8.5

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37.

Vendor

Openwebui

Product

Open Webui

CWE

CWE-918

Yayın Tarihi

2025-12-04 20:16:19

Güncelleme

2025-12-10 15:18:38

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Open Webui HIGH Openwebui 2025

Referanslar

https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774 https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685 https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685

Benzer Kayıtlar

Medium

CVE-2026-28786

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-28788

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Medium

CVE-2026-29070

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Low

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.…

High

CVE-2026-26193

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.…