Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the chat_completion API, the parameters tool_ids and tool_servers are supplied by the user. These parameters are used to create a tools_dict by the middleware. This is then used by get_tool_by_id to retrieve the appropriate tool. However, there is no checks in that ensures the user that uses the API has permission to use the tool, meaning that a user can invoke any server tool by supplying the correct tool_id or tool_servers parameters via the chat completion API. Moreover, the authentication token stored in the server would be used when invoking the tool, so the tool will be invoked with the server privilege. This vulnerability is fixed in 0.8.6.
Published: 2026-05-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Open WebUI’s chat completion API allows an authenticated user to supply a tool’s identifier or server details so that any server tool can be invoked without permission checks. Because the server’s own authentication token is used when executing the tool, the tool runs with elevated privileges, effectively enabling the attacker to perform any action that the server is allowed to execute, potentially compromising data or system integrity. This flaw is disclosed as CWE‑862.

Affected Systems

Open WebUI versions before 0.8.6 are affected.

Risk and Exploitability

The CVSS base score of 7.1 reflects moderate severity; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, through the chat completion endpoint, and requires that the attacker have a valid user authentication token to invoke the API. An attacker with such a token can add arbitrary tool identifiers or server URLs to the request, bypassing the intended restriction mechanism and executing arbitrary server‑side code.

Generated by OpenCVE AI on May 15, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.8.6 or later, where the check against tool permissions has been added.
  • Restrict access to the chat completion API to only trusted users or networks, applying network segmentation or firewall rules as necessary.
  • Ensure that all server‑side tools are protected by explicit authorization checks and that any unused tools are disabled or removed from the system.

Generated by OpenCVE AI on May 15, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4pcg-253r-rf9w Open WebUI's chat completion API allows tool restrictions to be bypassed
History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the chat_completion API, the parameters tool_ids and tool_servers are supplied by the user. These parameters are used to create a tools_dict by the middleware. This is then used by get_tool_by_id to retrieve the appropriate tool. However, there is no checks in that ensures the user that uses the API has permission to use the tool, meaning that a user can invoke any server tool by supplying the correct tool_id or tool_servers parameters via the chat completion API. Moreover, the authentication token stored in the server would be used when invoking the tool, so the tool will be invoked with the server privilege. This vulnerability is fixed in 0.8.6.
Title Open WebUI: Chat completion API allows tool restrictions to be bypassed
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T22:21:32.823Z

Reserved: 2026-05-11T21:40:08.178Z

Link: CVE-2026-45350

cve-icon Vulnrichment

Updated: 2026-05-15T22:18:32.106Z

cve-icon NVD

Status : Received

Published: 2026-05-15T22:16:55.323

Modified: 2026-05-15T23:16:21.280

Link: CVE-2026-45350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T23:00:12Z

Weaknesses