CVE-2026-54017: 
Python Schwachstellenanalyse und -minderung

CVE-2026-54017 is a path traversal and Server-Side Request Forgery (SSRF) vulnerability in the terminal server reverse proxy of Open WebUI, affecting all versions up to and including 0.9.5. The flaw exists in backend/open_webui/routers/terminals.py, where the user-controlled path segment is not fully sanitized before being forwarded to an admin-configured terminal server. Two distinct attack vectors are consolidated under this CVE: single-encoded path traversal (original report) and a bypass of the subsequently-added _sanitize_proxy_path mitigation using double-encoded dots (%252e%252e). It was first published on June 11, 2026, and added to the GitHub Advisory Database on June 17, 2026, with a CVSS v3.1 base score of 7.7 (High) (GitHub Advisory, Open WebUI Advisory).

The root cause is improper input validation (CWE-22: Path Traversal; CWE-918: SSRF) in the proxy_terminal route, which accepts an arbitrary trailing path parameter and forwards it to the configured terminal server after a single-pass sanitization check. Vector 1 involved no sanitization at all — single-encoded sequences like ..%2F were forwarded directly, allowing traversal out of the intended scope. Vector 2 exploits the fact that _sanitize_proxy_path calls unquote() only once: a double-encoded payload such as %252e%252e decodes to %2e%2e (not ..) on the first pass, bypasses the startswith('..') check, and is then decoded by the upstream terminal server into .., completing the traversal (GitHub Advisory, Open WebUI Advisory). Exploitation requires only low privileges — an authenticated user who has been granted access to a terminal server by an administrator.

An authenticated user with terminal server access can escape the intended path or policy scope on the terminal server host, reaching unintended endpoints and files. Where the terminal server proxies requests onward to internal services, the attacker gains SSRF-style access to those internal services, potentially exposing sensitive configuration data, credentials, or internal APIs. The scope change (CVSS S:C) reflects that the impact extends beyond the Open WebUI application itself to the terminal server host and any internally reachable services. Integrity and availability are not directly impacted, but confidentiality is rated High due to the potential for broad data exposure (GitHub Advisory).

1. Obtain authenticated access: Log in to an Open WebUI instance (version ≤ 0.9.5) with a non-admin account that has been granted access to at least one terminal server by an administrator.
2. Identify the terminal server ID: Enumerate available terminal server connections via the Open WebUI interface or API to obtain a valid server_id.
3. Craft a traversal payload: Construct a request path using double-encoded dot sequences to bypass the _sanitize_proxy_path check, e.g., %252e%252e/%252e%252e/sensitive-file.
4. Send the malicious request: Issue an HTTP GET request to the proxy endpoint:

   GET /api/v1/terminals/{server_id}/%252e%252e/%252e%252e/sensitive-file

   The sanitizer decodes %252e%252e to %2e%2e, which passes the .. check. The upstream terminal server then decodes %2e%2e to .., resolving the traversal.
5. Target policy namespace (higher impact): If a policy_id is configured, the proxy constructs {base_url}/p/{policy_id}/{safe_path}. A traversal payload escapes the policy namespace, reaching other policies or the terminal server root.
6. Pivot to internal services: If the terminal server routes requests to internal services, use the traversal path to reach internal APIs or files not intended to be accessible (GitHub Advisory, Open WebUI Advisory).

• Network: HTTP requests to /api/v1/terminals/{server_id}/ containing URL-encoded dot sequences such as %252e, %2e, ..%2F, or %252e%252e in the path segment; unexpected outbound requests from the terminal server to internal service endpoints.
• Logs: Open WebUI access logs showing requests to /api/v1/terminals/ with anomalous path segments containing percent-encoded traversal sequences; terminal server logs showing requests arriving with decoded ../ sequences or paths resolving outside the expected directory scope.
• Application Behavior: Responses from the terminal server proxy containing data from files or endpoints outside the configured policy or path scope; HTTP 200 responses to paths that should not be accessible under normal policy constraints.

Upgrade Open WebUI to version 0.9.6 or later, which contains the fix for both traversal vectors. The fix replaces the single-pass unquote() call in _sanitize_proxy_path with an iterative decode loop (up to 8 passes) that normalizes the path until stable before applying the .. check, rejecting all depths of encoding including %2e%2e, %252e%252e, and %25252e%25252e. No configuration-based workaround is available for the double-encoded bypass; upgrading is the only complete remediation. As a partial risk reduction, administrators should minimize the number of non-admin users granted terminal server access until the patch is applied (GitHub Advisory, Open WebUI Advisory).