CVE-2026-45350 Openwebui CVE debrief

Who should care

Administrators and operators of self-hosted Open WebUI deployments, especially those exposing the chat completion API or relying on server tools and tool-server integrations.

Technical summary

According to the NVD record and the GitHub security advisory, the chat_completion API accepts user-supplied tool_ids and tool_servers values that are converted into a tools_dict by middleware and then resolved through get_tool_by_id. The flaw is that no authorization check verifies whether the requesting user is allowed to access the selected tool. As a result, a caller can supply a valid tool ID or tool server reference to invoke a server tool outside their permissions. The advisory also states that the authentication token stored on the server is used when invoking the tool, so the tool execution occurs with server privilege. The affected version range ends before 0.8.6.

Defensive priority

High

Recommended defensive actions

• Upgrade Open WebUI to version 0.8.6 or later.
• Review whether the chat completion API is exposed to untrusted users or broader internal audiences.
• Audit configurations and workflows that rely on server tools or tool_servers/tool_ids inputs.
• Validate that only intended users can access tool-enabled features after upgrading.
• Monitor for unexpected tool invocations or permission boundary violations in application logs.

Evidence notes

The supplied NVD record marks the vulnerability as analyzed and lists an official GitHub security advisory as the vendor reference. The advisory and NVD description both identify the issue as an authorization failure in tool selection for the chat completion API, affecting versions before 0.8.6. The CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, consistent with a network-reachable authorization bypass with confidentiality impact. No KEV entry was supplied.

Official resources