CVE-2026-45395

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5

Description A missing authorization check in the tool update endpoint "POST /api/v1/tools/id/{id}/update" allows users to bypass the workspace.tools security boundary. While the tool creation endpoint correctly enforces this permission, the update endpoint only verifies if a user has a write access grant. This allows a user who has been explicitly denied tool management capabilities to replace a tool's server-side Python content and trigger arbitrary code execution via the exec() function. This effectively grants an untrusted user shell access to the server, enabling them to read sensitive environment variables, access the application database, and read arbitrary files from the container filesystem.

Recommendations Update to version 0.9.5. As a temporary workaround, restrict write access grants on tools to only fully trusted users until the update is applied.