Main Vulnerability Database Vulnerabilities #VU130943

Missing Authorization in Open WebUI - #VU130943

Published: May 11, 2026

Vulnerability identifier: #VU130943

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Open WebUI

Software vendor:
Open WebUI

Description

The vulnerability allows a remote user to invoke restricted tools and access their output.

The vulnerability exists due to missing authorization in the chat_completion API when processing user-supplied tool_ids or tool_servers parameters. A remote user can supply crafted tool identifiers to invoke restricted tools and access their output.

Requests can cause the server to use stored authentication tokens when invoking the selected tool.

Remediation

Install security update from vendor's website.

External links

https://github.com/open-webui/open-webui/security/advisories/GHSA-4pcg-253r-rf9w
https://github.com/open-webui/open-webui/commit/4737e1f11

Missing Authorization in Open WebUI - #VU130943

Description

Remediation

External links

Please verify you're human