Cve-2026-45350 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-45350/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 20:26:17 +0000Open WebUI Chat Completion API Tool Restriction Bypass (CVE-2026-45350)https://feed.craftedsignal.io/briefs/2026-05-open-webui-tool-bypass/Thu, 14 May 2026 20:26:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-webui-tool-bypass/Open WebUI versions prior to 0.8.6 contain a vulnerability in the chat completion API that allows attackers to bypass tool restrictions by invoking any server tool with elevated privileges by supplying the correct tool_id or tool_servers parameters; this issue is tracked as CVE-2026-45350.Open WebUI is vulnerable to a tool restriction bypass in its chat completion API. Specifically, versions 0.6.43 through 0.8.5 are affected. The vulnerability, identified as CVE-2026-45350, stems from a lack of proper permission checks when retrieving tools via the get_tool_by_id function. An attacker can exploit this by supplying arbitrary tool_id or tool_servers parameters through the chat completion API, thereby invoking restricted server tools with elevated privileges. This occurs because the authentication token stored on the server is used when invoking the tool, effectively granting the attacker server-level privileges. The issue was resolved in versions v0.7.0 and v0.8.6.

Attack Chain

  1. An attacker with low privileges gains access to an Open WebUI instance.
  2. The attacker identifies a restricted tool configured within the Open WebUI instance.
  3. The attacker crafts a malicious request to the /api/chat/completions endpoint.
  4. The request includes a prompt designed to utilize the restricted tool.
  5. The request contains the tool_ids parameter set to the ID of the restricted tool, or the tool_servers parameter, pointing to the restricted tool’s server.
  6. The get_tool_by_id function retrieves the tool without proper permission checks.
  7. The server’s authentication token is used to invoke the tool.
  8. The restricted tool executes with server privileges, potentially leading to unauthorized actions.

Impact

Successful exploitation of this vulnerability allows low-privilege users to bypass intended tool restrictions and execute privileged actions within the Open WebUI environment. This can lead to unauthorized data access, modification, or other malicious activities, effectively escalating the attacker’s privileges and compromising the integrity of the system.

Recommendation

  • Upgrade Open WebUI to version 0.8.6 or later to remediate CVE-2026-45350.
  • Deploy the provided Sigma rule Detect Open WebUI Chat Completion API Tool Restriction Bypass to identify attempts to exploit this vulnerability via HTTP requests to the /api/chat/completions endpoint.
  • Monitor web server logs for suspicious requests containing tool_ids parameters associated with restricted tools to detect potential exploitation attempts.
  • Review and enforce proper access controls for tools within Open WebUI to prevent unauthorized usage, in addition to patching.
]]>highadvisorycvecve-2026-45350privilege escalationweb application