Impact
Open WebUI, a self‑hosted AI platform, has a broken access control flaw in the handling of tool values in versions prior to 0.8.11. The weakness, identified as CWE‑285, allows an attacker to read or modify tool configurations without proper authentication. The CVE description does not explicitly state additional consequences such as privilege escalation, so any such impact remains an inference.
Affected Systems
All deployments of Open WebUI running a version older than 0.8.11 are affected. The vulnerability applies to the open-webui:open-webui product across all operating systems where the platform is installed.
Risk and Exploitability
The CVSS score of 7.7 classifies this issue as high severity. EPSS score of 5% indicates a nonnegligible exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits yet. Based on the description, the attack vector is inferred to be remote, exploiting exposed API endpoints that manage tool values, but the requirement for elevated credentials is not explicitly supported in the provided data.
OpenCVE Enrichment
Github GHSA