Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets. | |
| Title | Open WebUI - Server-Side Request Forgery via Location Redirect in /api/v1/retrieval/process/web | |
| First Time appeared |
Openwebui
Openwebui open Webui |
|
| Weaknesses | CWE-918 | |
| CPEs | cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openwebui
Openwebui open Webui |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:40.248Z
Reserved: 2026-06-21T12:37:58.435Z
Link: CVE-2026-56399
No data.
No data.
No data.
OpenCVE Enrichment
No data.