CVE-2026-56399
MEDIUM
NVD
CVSS Score
5
Severity
MEDIUM
Published
Jun 30, 2026
Vendor
unknown
Description
Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.