CVE-2026-54018: Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects

June 17, 2026 (updated June 18, 2026)

The SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL.

Since Playwright automatically follows HTTP redirects (301/302) by default, an attacker can bypass the validation by providing a safe URL that redirects to a restricted internal network address (e.g., localhost, Docker container network, or Cloud Metadata).

This allows the application to access internal services despite ENABLE_RAG_LOCAL_WEB_FETCH being set to False

References

github.com/advisories/GHSA-jrfp-m64g-pcwv
github.com/open-webui/open-webui/security/advisories/GHSA-jrfp-m64g-pcwv
nvd.nist.gov/vuln/detail/CVE-2026-54018

Code Behaviors & Features

Detect and mitigate CVE-2026-54018 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →