Skip to main content

CVE-2026-0766

CVE IDCVE-2026-0766
Vendor DispositionRejected — not a vulnerability
Published2026-01-23
Issuing CNAZero Day Initiative (ZDI-26-032)
Claimed SeverityHigh (CVSS 8.8 — CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWECWE-94 (Code Injection)

What the CVE Claims

The function load_tool_module_by_id in backend/open_webui/utils/plugin.py allegedly allows a low-privileged authenticated remote attacker to execute arbitrary Python code by submitting a Tool whose source contains arbitrary Python, which the function then passes to exec().

Why This Is Not a Vulnerability

load_tool_module_by_id is the core mechanism by which Open WebUI loads user-authored Tools. Tools are Python modules authored by the user and executed by the server — this is the explicit feature design. The function reads the Tool source from the database, parses its frontmatter, and calls exec() on the source to instantiate the module. There is no input "validation" to be added; the input is the Python module the user has submitted to be executed.

This mirrors the design of every other code-extension system: Jupyter executes notebook cells, n8n executes Code nodes, Home Assistant executes python_script files. Calling exec() on the submitted code is the feature, not a defect.

Access Control

The routes that invoke load_tool_module_by_id are gated by user.role == 'admin' or by the workspace.tools permission, which is disabled by default. Granting workspace.tools is documented as equivalent to giving the user shell access to the server. There is no path by which an unprivileged user can reach this function.

CVSS Accuracy

The published CVSS rates the privilege requirement as PR:L (Low). This is methodologically incorrect — the function is reachable only by administrators (PR:H) or by users explicitly granted root-equivalent permissions.

Applicable Security Policy Rules

  • Rule 10: The Tools feature is designed to execute user-provided Python code on the server. Reports involving Tools or Functions are closed as intended behavior.
  • Rule 9: "Pasting untrusted code into Functions/Tools" is explicitly cited as out-of-scope.
  • Rule 1: Expected protocol behavior is not a vulnerability.

Impact to Users

No action required. This CVE describes intended functionality. Tools execute Python code on the server by design. If you have granted workspace.tools to untrusted users, review the Plugin Security documentation.

References

This content is for informational purposes only and does not constitute a warranty, guarantee, or contractual commitment. Open WebUI is provided "as is." See your license for applicable terms.