Main Vulnerability Database SB2026042442

SB2026042442 - Improper Authorization in Open WebUI

Published: April 24, 2026

Security Bulletin ID SB2026042442

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authorization (CVE-ID: CVE-2026-34222)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper authorization in the Tool Valves endpoint when handling requests to read tool valve data. A remote user can send a crafted request for a tool valve to disclose sensitive information.

Exploitation requires a verified account with at least Member privileges, and tool identifiers are trivial to guess because imported tool IDs are derived from tool names.

Remediation

Install update from vendor's website.

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-7429-hxcv-268m