CVE-2026-45400: Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`

May 14, 2026 (updated May 15, 2026)

In the open-webui project, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability.

References

github.com/advisories/GHSA-8w7q-q5jp-jvgx
github.com/open-webui/open-webui/releases/tag/v0.9.0
github.com/open-webui/open-webui/security/advisories/GHSA-8w7q-q5jp-jvgx
nvd.nist.gov/vuln/detail/CVE-2026-45400

Code Behaviors & Features

Detect and mitigate CVE-2026-45400 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →