VulnWatch VulnWatch
← Back to dashboard
Medium github · GHSA-f776-fp4w-266c

Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function

Published May 14, 2026 CVSS 4.3

Summary

Blind server side request forgery (SSRF) via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.

Details

In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests, scripts and some potentially dangerous tags (iFrame, Object, etc.) are blocked, preventing server-side content from being read through this vulnerability. However, an image tag can be used to force a server-side request (SSRF), as shown in the following below.

PoC

Start a chat and export the PDF: grafik

Intercept the request and insert an `` tag into the title:

POST /api/v1/utils/pdf HTTP/2
Host: domain.local
//Some headers removed
Content-Type: application/json
Content-Length: 541
Te: trailers

{"title":"","messages":[{"id":"81f24589-384d-431c-a26c-5cd3382ac941","parentId":null,"childrenIds":["0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e"],"role":"user","content":"hallo","timestamp":1736932102,"models":["gpt-4o-POC"]},{"parentId":"81f24589-384d-431c-a26c-5cd3382ac941","id":"0c1a3ee1-6350-4bb4-b95e-fc2341c47e8e","childrenIds":[],"role":"assistant","content":"Hallo! Wie kann ich Ihnen helfen?","model":"gpt-4o-POC","modelName":"gpt-4o-POC","modelIdx":0,"userContext":null,"timestamp":1736932103,"done":true}]}

A HTTPS callback was received at https://d5jok0s7ghl1p77v5brlqlxwmnsega4z.oastify.com.

Impact

A user can force server-side GET requests. During the available testing time, no method was found to read the responses (Blind SSRF). Nonetheless, this should be prevented, as an attacker could enumerate internal assets through response delays and trigger arbitrary GET requests.

Resolution

Fixed in commit 167c8bf00, first released in v0.5.11 (2025-02). The fix wraps every user-controllable field that flows into the PDF HTML template (title, content, role, model, formatted date) in html.escape() before the template f-string is fed to fpdf2.write_html(). The PoC payload `` is escaped to <img src='...' /> and rendered as literal text by fpdf2, with no HTML parsing and no outbound request. Users on >= 0.5.11 are not affected.

SSRF

Affected AI Products

gpt-4
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.