{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45350/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.8.5)"],"_cs_severities":["high"],"_cs_tags":["cve","cve-2026-45350","privilege escalation","web application"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI is vulnerable to a tool restriction bypass in its chat completion API. Specifically, versions 0.6.43 through 0.8.5 are affected. The vulnerability, identified as CVE-2026-45350, stems from a lack of proper permission checks when retrieving tools via the \u003ccode\u003eget_tool_by_id\u003c/code\u003e function. An attacker can exploit this by supplying arbitrary \u003ccode\u003etool_id\u003c/code\u003e or \u003ccode\u003etool_servers\u003c/code\u003e parameters through the chat completion API, thereby invoking restricted server tools with elevated privileges. This occurs because the authentication token stored on the server is used when invoking the tool, effectively granting the attacker server-level privileges. The issue was resolved in versions v0.7.0 and v0.8.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with low privileges gains access to an Open WebUI instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a restricted tool configured within the Open WebUI instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u003ccode\u003e/api/chat/completions\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a prompt designed to utilize the restricted tool.\u003c/li\u003e\n\u003cli\u003eThe request contains the \u003ccode\u003etool_ids\u003c/code\u003e parameter set to the ID of the restricted tool, or the \u003ccode\u003etool_servers\u003c/code\u003e parameter, pointing to the restricted tool\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_tool_by_id\u003c/code\u003e function retrieves the tool without proper permission checks.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s authentication token is used to invoke the tool.\u003c/li\u003e\n\u003cli\u003eThe restricted tool executes with server privileges, potentially leading to unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows low-privilege users to bypass intended tool restrictions and execute privileged actions within the Open WebUI environment. This can lead to unauthorized data access, modification, or other malicious activities, effectively escalating the attacker\u0026rsquo;s privileges and compromising the integrity of the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Open WebUI to version 0.8.6 or later to remediate CVE-2026-45350.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Open WebUI Chat Completion API Tool Restriction Bypass\u003c/code\u003e to identify attempts to exploit this vulnerability via HTTP requests to the \u003ccode\u003e/api/chat/completions\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing \u003ccode\u003etool_ids\u003c/code\u003e parameters associated with restricted tools to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and enforce proper access controls for tools within Open WebUI to prevent unauthorized usage, in addition to patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:26:17Z","date_published":"2026-05-14T20:26:17Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-tool-bypass/","summary":"Open WebUI versions prior to 0.8.6 contain a vulnerability in the chat completion API that allows attackers to bypass tool restrictions by invoking any server tool with elevated privileges by supplying the correct tool_id or tool_servers parameters; this issue is tracked as CVE-2026-45350.","title":"Open WebUI Chat Completion API Tool Restriction Bypass (CVE-2026-45350)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-tool-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45350","version":"https://jsonfeed.org/version/1.1"}