CVE-2026-56399

CVE-2026-56399CVE-2026-56399

Description

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.

Scoring

CVSS 5.0 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Last modified2026-06-30
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.