Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the chat_completion API, the parameters tool_ids and tool_servers are supplied by the user. These parameters are used to create a tools_dict by the middleware. This is then used by get_tool_by_id to retrieve the appropriate tool. However, there is no checks in that ensures the user that uses the API has permission to use the tool, meaning that a user can invoke any server tool by supplying the correct tool_id or tool_servers parameters via the chat completion API. Moreover, the authentication token stored in the server would be used when invoking the tool, so the tool will be invoked with the server privilege. This vulnerability is fixed in 0.8.6.
CVE-2026-45350
This high-severity CVE scores 7.1 under NVD CVSS v3. EPSS exploit probability: 0.3%, top 83% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.1
- EG Score
- 7.1(medium)
- EPSS
- 17.4%
- KEV
- Not listed
Published
May 15, 2026
Last Modified
May 18, 2026
Advisory Details (1)
Auto-updated May 16, 2026Chat completion API allows tool restrictions to be bypassed · Advisory · open-webui/open-webui · GitHub
https://github.com/open-webui/open-webui/security/advisories/GHSA-4pcg-253r-rf9wVendor Advisories for CVE-2026-45350(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| open-webui | 0.1.124 ... 0.8.5 (144 versions) | 0.8.6 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 6× in last 7d / 51× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 107 total refreshes for this CVE.
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 21:22 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 09:24 UTCEG score recompute
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 21:45 UTCEG score recompute
- 2026-06-27 07:45 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 20:05 UTCEG score recompute
- 2026-06-25 18:39 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
Show 75 moreShow fewer
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 02:54 UTCEG score recompute
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 13:20 UTCEG score recompute
- 2026-06-16 22:43 UTCEG score recompute
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-16 11:04 UTCEG score recompute
- 2026-06-15 23:25 UTCEG score recompute
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-14 22:24 UTCEG score recompute
- 2026-06-14 10:48 UTCEG score recompute
- 2026-06-13 23:09 UTCEG score recompute
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-13 07:49 UTCEG score recompute
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 20:12 UTCEG score recompute
- 2026-06-12 08:34 UTCEG score recompute
- 2026-06-11 20:58 UTCEG score recompute
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-11 09:21 UTCEG score recompute
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 21:45 UTCEG score recompute
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 10:08 UTCEG score recompute
- 2026-06-09 22:32 UTCEG score recompute
- 2026-06-09 10:55 UTCEG score recompute
- 2026-06-08 23:19 UTCEG score recompute
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-08 11:41 UTCEG score recompute
- 2026-06-08 00:04 UTCEG score recompute
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 12:27 UTCEG score recompute
- 2026-06-07 00:51 UTCEG score recompute
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 13:14 UTCEG score recompute
- 2026-06-06 01:37 UTCEG score recompute
- 2026-06-05 22:47 UTCEPSS rescore
- 2026-06-05 13:59 UTCEG score recompute
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 02:22 UTCEG score recompute
- 2026-06-04 14:45 UTCEG score recompute
- 2026-06-04 03:08 UTCEG score recompute
- 2026-06-03 15:31 UTCEG score recompute
- 2026-06-03 03:54 UTCEG score recompute
- 2026-06-02 20:13 UTCEPSS rescore
- 2026-06-02 16:17 UTCEG score recompute
- 2026-06-02 04:40 UTCEG score recompute
- 2026-06-01 17:03 UTCEG score recompute
- 2026-06-01 13:52 UTCEPSS rescore
- 2026-06-01 13:52 UTCEPSS rescore
- 2026-06-01 05:26 UTCEG score recompute
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
Frequently asked(5)
What is CVE-2026-45350?
When was CVE-2026-45350 disclosed?
Is CVE-2026-45350 actively exploited?
What is the CVSS score of CVE-2026-45350?
How do I remediate CVE-2026-45350?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45350
Is Your Infrastructure Affected by CVE-2026-45350?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.