Plattform
python
Komponente
open-webui
Behoben in
0.6.33
CVE-2026-0766 is a Remote Code Execution (RCE) vulnerability affecting Open WebUI versions 0.6.32. This flaw stems from insufficient input validation within the loadtoolmodulebyid function, enabling authenticated attackers to execute arbitrary code. Successful exploitation requires authentication, but the potential impact is significant, allowing for complete system compromise. The vulnerability was disclosed on January 23, 2026.
The impact of CVE-2026-0766 is severe due to its RCE nature. A successful exploit allows an attacker to execute commands with the privileges of the Open WebUI service account. This could enable attackers to steal sensitive data, install malware, modify system configurations, or even gain persistent access to the affected system. Given that Open WebUI is often used for managing network devices, a compromise could extend to the entire network infrastructure. The vulnerability's reliance on authentication reduces the immediate attack surface but doesn't eliminate the risk, especially in environments with weak credentials or compromised user accounts. This is similar to other command injection vulnerabilities where attackers can bypass security controls by injecting malicious commands.
CVE-2026-0766 was publicly disclosed on January 23, 2026. The vulnerability was initially reported as ZDI-CAN-28257. The EPSS score is currently pending evaluation. Public proof-of-concept (PoC) exploits are likely to emerge given the vulnerability's ease of exploitation and the RCE nature. Monitor security communities and threat intelligence feeds for any signs of active exploitation.
Organizations utilizing Open WebUI for network device management are at risk, particularly those relying on version 0.6.32. Shared hosting environments where multiple users share the same Open WebUI instance are also vulnerable, as a compromised account could be used to exploit the vulnerability and gain access to other users' devices. Legacy configurations with default credentials or weak access controls further exacerbate the risk.
• linux / server:
journalctl -u openwebui -g 'load_tool_module_by_id'• generic web:
curl -I http://<openwebui_ip>/api/v1/tools/load_tool_module_by_id?module_id=<suspicious_input>• generic web:
Grep access/error logs for requests containing suspicious characters or patterns within the module_id parameter. Look for unusual Python code execution attempts.
disclosure
Exploit-Status
EPSS
0.29% (53% Perzentil)
CISA SSVC
CVSS-Vektor
As a fix for CVE-2026-0766 is pending, immediate mitigation steps are crucial. First, restrict access to Open WebUI to only authorized personnel and enforce strong password policies. Implement a Web Application Firewall (WAF) with rules to detect and block command injection attempts targeting the loadtoolmodulebyid endpoint. Consider temporarily disabling the functionality if possible. Monitor system logs for suspicious activity, particularly commands executed by the Open WebUI service account. While a direct patch is unavailable, regularly check the Open WebUI project's website and security advisories for updates. After any configuration changes or WAF rule implementation, verify the mitigation by attempting to trigger the vulnerable function with a benign command to ensure it is properly blocked.
Actualice Open WebUI a una versión posterior a 0.6.32 que corrija la vulnerabilidad de inyección de comandos. Consulte el sitio web del proveedor o las notas de la versión para obtener instrucciones específicas sobre cómo actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0766 is a Remote Code Execution vulnerability in Open WebUI version 0.6.32, allowing authenticated attackers to execute arbitrary code due to insufficient input validation. This poses a significant security risk.
If you are running Open WebUI version 0.6.32, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible to mitigate the risk.
The recommended fix is to upgrade to a patched version of Open WebUI. Until a patch is available, restrict access and implement temporary workarounds like input validation and WAF rules.
While active exploitation is not yet confirmed, the vulnerability is publicly known, and the potential for exploitation is high. Monitoring and proactive mitigation are crucial.
Refer to the official Open WebUI website and security advisories for the latest information and updates regarding CVE-2026-0766.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.