CVE-2026-0765
| CVE ID | CVE-2026-0765 |
| Vendor Disposition | Rejected — not a vulnerability |
| Published | 2026-01-23 |
| Issuing CNA | Zero Day Initiative (ZDI-26-031) |
| Claimed Severity | High (CVSS 8.8 — CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-78 (OS Command Injection) |
What the CVE Claims
The function install_frontmatter_requirements in backend/open_webui/utils/plugin.py allegedly allows a low-privileged authenticated remote attacker to execute arbitrary code by injecting malicious package names into the requirements field of a Tool's or Function's YAML frontmatter, which the function then passes to pip install via subprocess.check_call.
Why This Is Not a Vulnerability
install_frontmatter_requirements is the documented mechanism by which Open WebUI installs Python package dependencies declared in the YAML frontmatter of user-authored Tools and Functions. Tools and Functions are user-authored Python modules that the server loads, executes, and holds in memory. Authors declare pip dependencies via frontmatter, and the server resolves them on first load. This mirrors the dependency-declaration model of comparable extension systems (Jupyter notebooks with %pip install, n8n Code nodes, Home Assistant python_script).
There is no "injection" into a fixed pipeline. The user is not injecting commands into someone else's operation — they are submitting Python source code that includes a declared dependency list, and the server installs those dependencies and executes the code by design. The "attacker" in this scenario is a user exercising the code-execution rights they were explicitly granted.
Access Control
The function is reachable only through admin-gated routes (POST /api/v1/tools/create, POST /api/v1/tools/id/{id}/update, and analogous Function endpoints). These routes require either user.role == 'admin' or the workspace.tools permission, which is disabled by default for non-admin users. Granting workspace.tools is documented as equivalent to giving the user shell access to the server. There is no path by which an unprivileged user can reach this function.
CVSS Accuracy
The published CVSS rates the privilege requirement as PR:L (Low). This is methodologically incorrect — the function is reachable only by administrators (PR:H) or by users explicitly granted root-equivalent permissions.
Applicable Security Policy Rules
- Rule 10: Reports involving Tools or Functions — including code execution and frontmatter-based pip installation — are closed as intended behavior.
- Rule 9: "Pasting untrusted code into Functions/Tools" is explicitly cited as out-of-scope.
- Rule 1: Expected protocol behavior is not a vulnerability.
Impact to Users
No action required. This CVE describes intended functionality. If you have granted workspace.tools to untrusted users, review the Plugin Security documentation — but this is a configuration decision, not a vulnerability.