Open WebUI Server-Side Request Forgery Vulnerability in OAuth Picture URL Processing

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Open WebUI versions prior to 0.9.0. The issue resides in the '_process_picture_url()' function within 'backend/open_webui/utils/oauth.py'. This function retrieves arbitrary URLs from OAuth picture claims without proper validation, allowing attackers to manipulate the server into making HTTP requests to internal resources and exfiltrating the full response. The vulnerability is present when 'ENABLE_OAUTH_SIGNUP' is enabled or 'OAUTH_UPDATE_PICTURE_ON_LOGIN' is set to true for existing users.

Impact

Exploitation of this vulnerability allows attackers to force the Open WebUI server to make HTTP requests to internal or localhost-bound services, effectively exfiltrating data from those responses. This could include sensitive information from cloud metadata endpoints, internal network services, or local services like Redis or Elasticsearch. The vulnerability results in a full-read SSRF, with the exfiltrated data encoded and stored in a user profile field, where it can be accessed via the Open WebUI API.

Reproduction

To reproduce this vulnerability, first set up an Open WebUI instance with OIDC OAuth configured and 'ENABLE_OAUTH_SIGNUP' enabled. Then, create a minimal OIDC server that returns a malicious picture claim pointing to an internal endpoint. After starting the OIDC server, run the Open WebUI instance with Docker, ensuring that the OAuth provider URL points to the malicious server. Once Open WebUI is running, create an admin account and log in using the TestOIDC provider. The OIDC server will receive a request to the canary endpoint, confirming that the SSRF vulnerability has been exploited. Finally, verify that the exfiltrated data is accessible through the Open WebUI API.

Remediation

Users should update to Open WebUI version 0.9.0 or later, and apply 'validate_url()' before fetching URLs from OAuth picture claims to prevent SSRF vulnerabilities.