Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities ( and who the administrator considers untrusted for code execution ) to replace a tool's server-side Python content and trigger execution, bypassing the intended workspace.tools security boundary. This vulnerability is fixed in 0.9.5.
Published: 2026-05-15
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Open WebUI platform performs privilege checks on tool operations to protect its server‑side Python code. Prior to version 0.9.5, the tool‑update endpoint lacked the workspace.tools permission check that the tool‑create endpoint uses. As a result an attacker who has been explicitly denied tool‑management rights can replace the Python source of any hosted tool and execute arbitrary code under the WebUI process user. This flaw is a classic case of improper privilege management (CWE‑269) and missing authorization (CWE‑862). The immediate consequence is that an untrusted user can gain code‑execution authority on the host.

Affected Systems

The affected product is Open WebUI, a self‑hosted artificial‑intelligence platform. Versions before 0.9.5 are vulnerable; the issue was fixed in 0.9.5. Users running any release earlier than 0.9.5 should review their deployment.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, and although the EPSS score is not available, the flaw can be triggered by an authenticated user who knows a tool identifier. No exploit is currently listed in the CISA KEV catalog. An attacker can forge a POST request to /api/v1/tools/id/{id}/update with malicious Python payload, replacing the tool’s server code and achieving arbitrary code execution.

Generated by OpenCVE AI on May 15, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.9.5 or later, which includes a correct workspace.tools authorization check on the tool‑update endpoint.
  • Before patching, revoke the workspace.tools permission from all untrusted or low‑privilege users so that the update endpoint cannot be misused during the transition period.
  • Verify that the tool‑update endpoint now requires the workspace.tools role by attempting a test update with a non‑privileged account; a 403 Forbidden response should be returned.

Generated by OpenCVE AI on May 15, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p4fx-23fq-jfg6 Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
History

Tue, 19 May 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Openwebui
Openwebui open Webui
CPEs cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*
Vendors & Products Openwebui
Openwebui open Webui

Mon, 18 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities ( and who the administrator considers untrusted for code execution ) to replace a tool's server-side Python content and trigger execution, bypassing the intended workspace.tools security boundary. This vulnerability is fixed in 0.9.5.
Title Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
Weaknesses CWE-269
CWE-862
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Open-webui Open-webui
Openwebui Open Webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T03:55:37.045Z

Reserved: 2026-05-12T01:48:40.450Z

Link: CVE-2026-45395

cve-icon Vulnrichment

Updated: 2026-05-18T12:46:32.867Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-15T21:16:37.450

Modified: 2026-05-19T03:05:29.810

Link: CVE-2026-45395

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:30:08Z

Weaknesses