CVE-2026-56399

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.
Configurations

No configuration.

History

30 Jun 2026, 23:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-30 23:17

Updated : 2026-06-30 23:17


NVD link : CVE-2026-56399

Mitre link : CVE-2026-56399

CVE.ORG link : CVE-2026-56399


JSON object : View

Products Affected

No product.

CWE
CWE-918

Server-Side Request Forgery (SSRF)