Main Vulnerability Database SB2026051161

SB2026051161 - Missing Authorization in Open WebUI

Published: May 11, 2026

Security Bulletin ID SB2026051161

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Missing Authorization (CVE-ID: N/A)

The vulnerability allows a remote user to invoke restricted tools and access their output.

The vulnerability exists due to missing authorization in the chat_completion API when processing user-supplied tool_ids or tool_servers parameters. A remote user can supply crafted tool identifiers to invoke restricted tools and access their output.

Requests can cause the server to use stored authentication tokens when invoking the selected tool.

Remediation

Install update from vendor's website.

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-4pcg-253r-rf9w
https://github.com/open-webui/open-webui/commit/4737e1f11