TECHNOLOGY
Open WebUI v0.9.5 Adds Redirect-Based SSRF Protection

Open WebUI v0.9.5 Adds Redirect-Based SSRF Protection

Open WebUI v0.9.5 Adds Redirect-Based SSRF Protection

Open WebUI just dropped version 0.9.5, and it's all about locking down outbound HTTP requests. The big addition? A redirect-based SSRF protection that blocks all 3xx redirects by default. That's the kind of plumbing most users won't see, but it's a critical defense against attackers trying to hop from public URLs into your internal network.

What Changed

The core of this update is the AIOHTTP_CLIENT_ALLOW_REDIRECTS environment variable. Set to false by default, it tells the AIOHTTP client to refuse any 3xx redirect when making outbound HTTP calls. No more silently following a redirect from a legitimate-looking URL to a loopback address like 127.0.0.1, a cloud metadata endpoint like 169.254.169.254, or any RFC 1918 private IP. The fix affects all major call sites: web fetch operations, image loading, OAuth discovery flows, tool server execution, and even the code interpreter's login routine. That's a lot of ground covered.

Why redirects? Because SSRF attacks often abuse them. An attacker crafts a URL that first lands on an innocuous public server, which then redirects to an internal resource. Without this protection, Open WebUI's HTTP client would follow the redirect and potentially expose sensitive internal services or cloud instance metadata. Version 0.9.5 cuts that off at the knees.

Why It Matters

SSRF vulnerabilities are a favorite among penetration testers. They let an attacker pivot from the internet into private networks, often with devastating results. Think: accessing databases, internal dashboards, or cloud metadata that contains credentials. By blocking redirects by default, Open WebUI is raising the bar without requiring users to configure anything. It's a sensible security posture shift.

Of course, some legitimate use cases rely on redirects. That's why the variable exists — if you need to follow them, you can set AIOHTTP_CLIENT_ALLOW_REDIRECTS to true. But the default is now safe. The team even included a reference to the specific commit (PR #24491) for those who want to dig into the implementation details.

This isn't flashy, but it's the kind of hardening that prevents whole classes of attacks. For anyone running Open WebUI in a production or semi-trusted environment, v0.9.5 is a no-brainer upgrade.

Official Source: https://github.com/open-webui/open-webui/releases/tag/v0.9.5

Tags:

What's your reaction?

0
AWESOME!
AWESOME!
0
LOVED
LOVED
0
NICE
NICE
0
LOL
LOL
0
FUNNY
FUNNY
0
EW!
EW!
0
OMG!
OMG!
0
FAIL!
FAIL!
Previous Post Dify v1.14.1 Patches Security and Boosts Workflow Stability
Next Post LangChain Core 1.4.0: Deprecation Fix and Dependency Updates

Categories

Recent News

n8n 2.25.6 Brings Markdown Editor Fix for Copy Selection
10 Jun 2026

n8n 2.25.6 Brings Markdown Editor Fix for Copy Selection

n8n 1.123.54 Fixes Paywall Bug and Patches Security Vulnerabilities
10 Jun 2026

n8n 1.123.54 Fixes Paywall Bug and Patches Security Vulnerabilities

OpenClaw v2026.6.5: AI Agent Fixes for Thinking Leaks and MCP Handling
10 Jun 2026

OpenClaw v2026.6.5: AI Agent Fixes for Thinking Leaks and MCP Handling

PrivateGPT 1.0: From Proof of Concept to Production AI Backend
07 Jun 2026

PrivateGPT 1.0: From Proof of Concept to Production AI Backend

Docling v2.97.0 Adds Email Parsing and HTML Backend Row-Section Support
07 Jun 2026

Docling v2.97.0 Adds Email Parsing and HTML Backend Row-Section Support

Tags