Skip to main content

Open WebUI CVE-2026-44552

| EUVDEUVD-2026-30609 HIGH
Exposure of Resource to Wrong Sphere (CWE-668)
2026-05-08 https://github.com/open-webui/open-webui GHSA-3x8w-4f7p-xxc2
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:32 vuln.today
Analysis Generated
May 08, 2026 - 20:32 vuln.today
CVE Published
May 08, 2026 - 19:44 nvd
HIGH 8.7

DescriptionGitHub Advisory

Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Affected Component

Tool server and terminal server Redis cache:

  • backend/open_webui/utils/tools.py (line 841, tool_servers SET)
  • backend/open_webui/utils/tools.py (line 850, tool_servers GET)
  • backend/open_webui/utils/tools.py (line 976, terminal_servers SET)
  • backend/open_webui/utils/tools.py (line 986, terminal_servers GET)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions since the tool server / terminal server Redis cache was introduced.

Description

Open WebUI uses a REDIS_KEY_PREFIX (default open-webui) to namespace Redis keys, allowing multiple instances to safely share a single Redis backend. Every Redis key in the codebase uses this prefix - except the tool_servers and terminal_servers keys in utils/tools.py, which use bare key names.

When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B - causing Instance B's users to receive Instance A's tool server configuration.

python
# utils/tools.py - unprefixed keys (problem)
await request.app.state.redis.set('tool_servers', ...)
# line 841
json.loads(await request.app.state.redis.get('tool_servers'))
# line 850
await request.app.state.redis.set('terminal_servers', ...)
# line 976
json.loads(await request.app.state.redis.get('terminal_servers'))
# line 986
# Every other Redis key in the codebase - prefixed (correct pattern)
f'{REDIS_KEY_PREFIX}:auth:token:{jti}:revoked'
f'{REDIS_KEY_PREFIX}:ratelimit:{email}:{bucket}'
f'{REDIS_KEY_PREFIX}:tasks:commands'

Attack Scenario

Two Open WebUI instances (A and B) share a Redis backend - a supported deployment for multi-region setups, blue-green deployments, or hot-standby. Both instances have their own admin accounts; the shared Redis was chosen for coordinated session handling, rate limiting, and task management.

  1. Attacker is an admin on Instance A (a legitimately provisioned admin, or one that escalated via any available path including the LDAP empty-password or stale-admin-role findings).
  2. Attacker on Instance A configures a tool server pointing to https://attacker-controlled.example.com/openapi.json. This triggers utils/tools.py:841 to write the new tool server list under the bare key tool_servers.
  3. Instance B's users query tools. Instance B reads from tool_servers (line 850) - gets Instance A's poisoned list, which now includes the attacker's server alongside or instead of Instance B's legitimate tool servers.
  4. Instance B's users invoke tools through the model's context. The attacker's server receives tool call payloads containing: chat content, user identity, OAuth tokens scoped to the tool server (if the user has bound their external account), and in-flight conversation context.
  5. The attacker's server returns arbitrary tool responses, which are fed back into Instance B's LLM context as "trusted tool output" - enabling prompt injection, misinformation delivery, and further data exfiltration cascades.

The same cross-instance poisoning applies to terminal_servers.

Impact

  • Cross-instance cache poisoning: an admin on one instance affects all users of another instance sharing the Redis backend
  • Data exfiltration: tool call payloads contain chat content and user identity, delivered to the attacker's server
  • Prompt injection delivery: attacker-returned tool responses enter the victim instance's LLM context as trusted data
  • Undermines the multi-instance isolation guarantee that REDIS_KEY_PREFIX was introduced to provide
  • Silent failure mode: no error is raised; the victim instance sees a valid, signed cache entry and has no way to detect it came from a different instance

Preconditions

  • Multiple Open WebUI instances share a single Redis backend (a supported and documented deployment)
  • Attacker has admin access on one of the instances (or escalates to admin via any available path)

AnalysisAI

Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.

Technical ContextAI

Open WebUI is a Python-based LLM frontend application using Redis for distributed caching and session management. The application implements a REDIS_KEY_PREFIX (default 'open-webui') to namespace Redis keys, enabling multiple isolated instances to safely share a single Redis backend-a pattern explicitly supported for multi-region deployments, blue-green environments, and cluster topologies. The vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) exists in backend/open_webui/utils/tools.py at lines 841, 850, 976, and 986, where tool_servers and terminal_servers cache keys are written and read using bare string literals ('tool_servers', 'terminal_servers') instead of the prefixed pattern (f'{REDIS_KEY_PREFIX}:tool_servers') used consistently elsewhere in the codebase for auth tokens, rate limits, and task queues. This inconsistency breaks Redis key namespace isolation, allowing cache entries from one instance to collide with and overwrite entries from another. The affected package is distributed via PyPI as pip/open-webui, with CPE string pkg:pip/open-webui identifying the vulnerable component.

RemediationAI

Upgrade to Open WebUI version 0.9.0 or later, which addresses the missing Redis key prefix issue per vendor advisory GHSA-3x8w-4f7p-xxc2 available at https://github.com/open-webui/open-webui/security/advisories/GHSA-3x8w-4f7p-xxc2. The fix applies the standard REDIS_KEY_PREFIX pattern to tool_servers and terminal_servers cache keys, restoring namespace isolation in multi-instance deployments. For organizations unable to upgrade immediately, deploy each Open WebUI instance with a dedicated Redis backend to eliminate cross-instance cache poisoning risk-this workaround trades operational complexity (multiple Redis instances requiring separate management, backup, and monitoring) for isolation but negates the shared-cache benefits for legitimate use cases like coordinated rate limiting and session management. Alternatively, configure unique REDIS_KEY_PREFIX values per instance if the application supports runtime override (verify in version-specific documentation), though this may not fully mitigate if the bare key names in vulnerable code bypass the prefix mechanism entirely. Audit admin account provisioning across all instances sharing Redis to limit exposure surface, and monitor Redis for unexpected tool_servers or terminal_servers key modifications as a detection control until patching is complete.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-44552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy