Open WebUI uses Redis as a shared cache for tool server configuration. In versions prior to 0.9.0, the keys tool_servers and terminal_servers are stored without an instance prefix. When multiple Open WebUI instances share the same Redis database, a write by an administrator on one instance will overwrite the value read by another instance. This results in the second instance using the configuration of the first, effectively revealing another instance’s settings and potentially allowing the attacker to influence the target instance’s behavior. The vulnerability is a type of configuration data poisoning and can contribute to confidentiality and integrity violations.

The affected product is open‑webui:open‑webui. All installations of Open WebUI earlier than version 0.9.0 that use Redis for caching and are configured to share a single Redis database across multiple instances are vulnerable. Deployments following the documented multi‑region, blue‑green, or cluster patterns that share a Redis instance are at risk.

The CVSS score of 8.7 reflects a high‑severity vulnerability with well‑defined attack conditions. Because no EPSS value is available, the exact probability of exploitation is unclear, but the issue is not listed in CISA’s KEV catalog. The attack vector is local to the administrative users of the shared Redis instance, and it requires that at least two Open WebUI instances be configured to use the same Redis database. Once an administrator uses the privileged access of one instance, they can immediately overwrite the configuration seen by users on another instance, creating a noticeable impact on a multi‑instance deployment.