CVE-2026-45350

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6

Description A flaw in the chat completion API allows users to bypass tool restrictions, potentially leading to unauthorized actions or access. In the '/api/chat/completions' endpoint, the tool ids and tool servers parameters are supplied by the user and used by the middleware to create a tools dict, which is then processed by the get tool by id() function to retrieve the tool. Because the system fails to verify if the user has the necessary permissions to use the requested tool, an attacker can invoke any server tool by providing the correct tool id or tool servers parameters. Furthermore, the tool is executed using the server's own authentication token, granting the request server-level privileges.

Recommendations Update to version 0.8.6 or later.