CVE-2026-45395 Overview
CVE-2026-45395 is a missing authorization vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The tool update endpoint POST /api/v1/tools/id/{id}/update does not enforce the workspace.tools permission check that is present on the tool create endpoint. An authenticated user explicitly denied tool management capabilities can replace a tool's server-side Python content and trigger execution. This bypasses the intended workspace.tools security boundary and grants untrusted users code execution on the host. The flaw is tracked under CWE-269 (Improper Privilege Management) and is fixed in version 0.9.5.
Critical Impact
Authenticated users without tool permissions can replace Python tool code on the server and trigger its execution, leading to arbitrary code execution within the Open WebUI process context.
Affected Products
- Open WebUI versions prior to 0.9.5
- Self-hosted Open WebUI deployments exposing the tools API
- Multi-user Open WebUI instances where workspace.tools permission is denied to untrusted users
Discovery Timeline
- 2026-05-15 - CVE-2026-45395 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45395
Vulnerability Analysis
Open WebUI exposes a workspace concept where administrators assign granular permissions to users. The workspace.tools permission controls whether a user can create, modify, or manage tools, which are server-side Python modules executed by the platform. Administrators rely on this permission to gate code execution capabilities for untrusted users.
The tool create endpoint correctly verifies the workspace.tools permission before allowing a user to register new Python tool content. The tool update endpoint at POST /api/v1/tools/id/{id}/update omits this check entirely. Any authenticated user able to reach an existing tool ID can overwrite its Python source through the update endpoint.
Because Open WebUI executes tool code server-side when the tool is invoked, the attacker replaces benign tool logic with arbitrary Python and triggers execution. The result is code execution under the Open WebUI service account, defeating the administrator's permission policy.
Root Cause
The root cause is an inconsistent authorization policy across related endpoints. The create handler enforces workspace.tools, while the update handler relies only on baseline authentication. This is a classic Broken Access Control pattern where a sensitive write operation lacks a permission check present on its sibling operation.
Attack Vector
Exploitation requires network access to the Open WebUI API and a valid authenticated session for a user who has been explicitly denied workspace.tools. The attacker enumerates accessible tool IDs, issues a POST /api/v1/tools/id/{id}/update request with a malicious Python payload in the tool content field, then invokes the tool to trigger execution. No user interaction is required from the administrator or other users.
See the GitHub Security Advisory GHSA-p4fx-23fq-jfg6 for vendor details on the affected code path.
Detection Methods for CVE-2026-45395
Indicators of Compromise
- HTTP POST requests to /api/v1/tools/id/{id}/update originating from accounts that do not hold the workspace.tools permission.
- Unexpected modifications to tool Python source recorded in Open WebUI database tables or audit logs.
- New outbound network connections, shell processes, or file system writes initiated by the Open WebUI service process following a tool update.
Detection Strategies
- Correlate API access logs against the user-to-permission mapping and alert when tool update calls are made by users lacking workspace.tools.
- Hash tool source on disk or in the database and alert on unauthorized changes between baseline snapshots.
- Monitor the Open WebUI service for child process creation, since legitimate tool execution should match a known set of operations.
Monitoring Recommendations
- Forward Open WebUI application logs and reverse proxy access logs to a centralized analytics platform for retention and correlation.
- Review administrative audit trails weekly for tool create and update activity and validate against assigned permissions.
- Track the Open WebUI version inventory to ensure all instances are running 0.9.5 or later.
How to Mitigate CVE-2026-45395
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.5 or later, which adds the missing workspace.tools permission check on the tool update endpoint.
- Audit all existing tools for unauthorized Python content modifications and restore known-good versions where tampering is suspected.
- Rotate any secrets, API keys, or model credentials that were accessible to the Open WebUI process during the exposure window.
Patch Information
The vendor fixed CVE-2026-45395 in Open WebUI 0.9.5 by enforcing the workspace.tools permission check on the POST /api/v1/tools/id/{id}/update endpoint. Patch details are available in the Open WebUI GHSA-p4fx-23fq-jfg6 advisory.
Workarounds
- Restrict network access to the Open WebUI API so that only trusted administrators can reach the tools endpoints until patching completes.
- Temporarily disable or remove user accounts that should not have tool management capabilities, since the permission boundary cannot be enforced on vulnerable versions.
- Place Open WebUI behind a reverse proxy that blocks POST /api/v1/tools/id/{id}/update for non-admin users as a compensating control.
# Example NGINX rule blocking tool update endpoint except from trusted admin network
location ~ ^/api/v1/tools/id/.+/update$ {
allow 10.0.0.0/24; # admin subnet
deny all;
proxy_pass http://open_webui_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
