Technical description
GitHub Security Advisory disclosed a cluster of vulnerabilities in Open WebUI, a self-hosted AI platform, affecting versions prior to 0.9.5. The vulnerabilities include SSRF via URL validation bypass (CVE-2026-45401, CVSS 8.5), unauthorized file attachment to user-controlled resources (CVE-2026-45402, CVSS 8.1), unauthorized model access bypassing per-model ACLs (CVE-2026-44563, CVSS 5.4), unauthenticated RAG pipeline configuration disclosure (CVE-2026-45397, CVSS 5.3), and system prompt leakage via model permission misconfiguration (CVE-2026-45387, CVSS 4.3).
Attack vector
The SSRF vulnerability allows attackers to bypass URL validation and access internal resources. The file-attachment issue permits unauthorized association of files with folders or knowledge bases the attacker controls. The model-access bypass forwards requests to upstream LLM providers without enforcing per-model ACLs. The RAG configuration disclosure exposes live pipeline settings to unauthenticated clients. The prompt leakage occurs when group read access inadvertently exposes system prompts to non-owner users.
Affected systems
Open WebUI versions prior to 0.9.5. Open WebUI is a moderately-deployed self-hosted platform for running AI models locally, particularly in developer and small-team environments.
Mitigation
Upgrade to Open WebUI version 0.9.5 or later immediately. Review and harden access control policies for models, folders, and knowledge bases. Audit RAG pipeline configurations and restrict API endpoints requiring authentication. Verify that system prompts are not exposed through group-level model permissions.