CVE-2026-34225
Summary
There is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local address space to be interacted with. Since the SSRF is blind (the response cannot be read) impact is port scanning of the local network because it can be confirmed if the port is open based on if the GET request failed.
Details
The vulnerability occurs here:
https://github.com/open-webui/open-webui/blob/2b26355002064228e9b671339f8f3fb9d1fafa73/backend/open_webui/routers/images.py#L850-L916
Line 911 shows the user provided URL passed to the function load_url_image. Within this function on line 883 HTTP/HTTPs URLs are trusted blindly and called asynchronously with requests.get.
PoC
The vulnerability can be reproduced with the following curl command:
curl -X POST http://localhost:3000/api/v1/images/edit \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"form_data":{
"image": "<url>",
"prompt": "poc"}
}'
Impact
Response differentials can be used to port scan the local network:
<img width="3016" height="736" alt="image" src="https://github.com/user-attachments/assets/93b4df52-b23c-4ed7-a5fa-9cbedb30091c" />
This can be automated to iterate through the entire port range to determine open ports. If the service running on an open port can be inferred the user may be able to interact with it in a meaningful way if the service offers any state changing GET request endpoints.
Remediation
Restrict provided URLs from local address space.
⚡ Watch CVE-2026-34225
Get an email if CVE-2026-34225 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.23% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 13% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-34225)