CVE-2026-54017
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
In versions prior to 0.9.6 of the Open WebUI platform, there is a vulnerability in the terminal-server reverse proxy that allows authenticated users to exploit `../` sequences to escape the intended path scope, potentially leading to unauthorized access to files and endpoints on the terminal server.
Risk Assessment
This vulnerability poses a risk of unauthorized access to internal services and files, which could lead to serious security breaches within the organization.
Recommendation
It is recommended to upgrade to version 0.9.6 or later to mitigate this vulnerability and implement additional security measures to restrict access to terminals.
Original NVD description (English source)
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft `path` values containing encoded `../` traversal sequences that escape the intended path (or policy) scope on that server, reaching unintended endpoints and files on the terminal-server host. Where the terminal server fans requests out to internal services, this also gives SSRF-style reach into those services. This is a separate code path from the `/api/v1/retrieval/process/web` SSRF (GHSA-c6xv-rcvw-v685), with its own input. Two distinct vectors are consolidated here: first, raw path forwarding / single-encoded traversal (original report); and second, a bypass of the subsequently-added `_sanitize_proxy_path` mitigation using double-encoded dots (`%252e%252e`). The attacker-controlled input is the request `path`, supplied by the non-admin user, not anything an administrator configures, so this is not an admin-trust / Rule-9 situation. Version 0.9.6 fixes the issue.

