PatchSiren cyber security CVE debrief
CVE-2026-45395 open-webui CVE debrief
CVE-2026-45395 describes an authorization flaw in Open WebUI’s tool update endpoint. Prior to version 0.9.5, a user who was supposed to be blocked from tool management could still update an existing tool and trigger execution of changed server-side Python content, bypassing the intended workspace.tools boundary.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-19
Who should care
Administrators and operators of self-hosted Open WebUI deployments, especially environments that delegate tool management to limited-trust users or rely on workspace.tools permissions to separate roles.
Technical summary
The issue is a missing permission check in POST /api/v1/tools/id/{id}/update. The create endpoint already enforced workspace.tools, but the update endpoint did not. As described in the source advisory and NVD record, this allowed an authenticated user with insufficient tool-management privileges to replace tool content and cause execution, creating an authorization bypass with potential confidentiality, integrity, and availability impact. NVD lists CVSS v3.1 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and CWE-269 / CWE-862.
Defensive priority
High priority for any deployment using Open WebUI tools, because the flaw breaks a documented privilege boundary and can lead to code execution through trusted server-side tool content. Apply the fix in 0.9.5 as soon as practical.
Recommended defensive actions
- Upgrade Open WebUI to version 0.9.5 or later.
- Review which users can create or update tools and confirm that only trusted administrators retain that access.
- Audit recent tool updates for unexpected changes to server-side Python content.
- Monitor authenticated calls to the tool update endpoint for unusual activity or role misuse.
- If patching is delayed, temporarily reduce exposure of tool-management functionality to the smallest trusted operator set possible.
Evidence notes
The CVE description states that prior to 0.9.5 the POST /api/v1/tools/id/{id}/update endpoint lacked the workspace.tools permission check present on the create endpoint. The same source says this permitted a user explicitly denied tool management capabilities to replace a tool’s server-side Python content and trigger execution. NVD records the issue with CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H and lists CWE-269 and CWE-862. The fix version is given as 0.9.5.
Official resources
-
CVE-2026-45395 CVE record
CVE.org
-
CVE-2026-45395 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
Publicly disclosed on 2026-05-15 through the GitHub security advisory referenced by NVD; the NVD entry was modified on 2026-05-18.