CVE-2026-44552 (GCVE-0-2026-44552)

Vulnerability from cvelistv5 – Published: 2026-05-15 19:57 – Updated: 2026-05-15 19:57

Title

Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B — causing Instance B's users to receive Instance A's tool server configuration. This vulnerability is fixed in 0.9.0.

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.9.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B \u2014 causing Instance B\u0027s users to receive Instance A\u0027s tool server configuration. This vulnerability is fixed in 0.9.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T19:57:22.801Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3x8w-4f7p-xxc2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3x8w-4f7p-xxc2"
        }
      ],
      "source": {
        "advisory": "GHSA-3x8w-4f7p-xxc2",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44552",
    "datePublished": "2026-05-15T19:57:22.801Z",
    "dateReserved": "2026-05-06T20:59:00.594Z",
    "dateUpdated": "2026-05-15T19:57:22.801Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44552",
      "date": "2026-05-17",
      "epss": "0.00028",
      "percentile": "0.08229"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44552\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T20:16:46.570\",\"lastModified\":\"2026-05-15T20:16:46.570\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B \u2014 causing Instance B\u0027s users to receive Instance A\u0027s tool server configuration. This vulnerability is fixed in 0.9.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-3x8w-4f7p-xxc2\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-44552

Vulnerability from fkie_nvd - Published: 2026-05-15 20:16 - Updated: 2026-05-15 20:16

Severity ?

8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-3x8w-4f7p-xxc2

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B \u2014 causing Instance B\u0027s users to receive Instance A\u0027s tool server configuration. This vulnerability is fixed in 0.9.0."
    }
  ],
  "id": "CVE-2026-44552",
  "lastModified": "2026-05-15T20:16:46.570",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T20:16:46.570",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3x8w-4f7p-xxc2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-3X8W-4F7P-XXC2

Vulnerability from github – Published: 2026-05-08 19:44 – Updated: 2026-05-15 23:52

Summary

Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Details

Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Affected Component

Tool server and terminal server Redis cache: - backend/open_webui/utils/tools.py (line 841, tool_servers SET) - backend/open_webui/utils/tools.py (line 850, tool_servers GET) - backend/open_webui/utils/tools.py (line 976, terminal_servers SET) - backend/open_webui/utils/tools.py (line 986, terminal_servers GET)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions since the tool server / terminal server Redis cache was introduced.

Description

Open WebUI uses a REDIS_KEY_PREFIX (default open-webui) to namespace Redis keys, allowing multiple instances to safely share a single Redis backend. Every Redis key in the codebase uses this prefix — except the tool_servers and terminal_servers keys in utils/tools.py, which use bare key names.

When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B — causing Instance B's users to receive Instance A's tool server configuration.

# utils/tools.py — unprefixed keys (problem)
await request.app.state.redis.set('tool_servers', ...)        # line 841
json.loads(await request.app.state.redis.get('tool_servers')) # line 850
await request.app.state.redis.set('terminal_servers', ...)    # line 976
json.loads(await request.app.state.redis.get('terminal_servers'))  # line 986

# Every other Redis key in the codebase — prefixed (correct pattern)
f'{REDIS_KEY_PREFIX}:auth:token:{jti}:revoked'
f'{REDIS_KEY_PREFIX}:ratelimit:{email}:{bucket}'
f'{REDIS_KEY_PREFIX}:tasks:commands'

Attack Scenario

Two Open WebUI instances (A and B) share a Redis backend — a supported deployment for multi-region setups, blue-green deployments, or hot-standby. Both instances have their own admin accounts; the shared Redis was chosen for coordinated session handling, rate limiting, and task management.

Attacker is an admin on Instance A (a legitimately provisioned admin, or one that escalated via any available path including the LDAP empty-password or stale-admin-role findings).
Attacker on Instance A configures a tool server pointing to https://attacker-controlled.example.com/openapi.json. This triggers utils/tools.py:841 to write the new tool server list under the bare key tool_servers.
Instance B's users query tools. Instance B reads from tool_servers (line 850) — gets Instance A's poisoned list, which now includes the attacker's server alongside or instead of Instance B's legitimate tool servers.
Instance B's users invoke tools through the model's context. The attacker's server receives tool call payloads containing: chat content, user identity, OAuth tokens scoped to the tool server (if the user has bound their external account), and in-flight conversation context.
The attacker's server returns arbitrary tool responses, which are fed back into Instance B's LLM context as "trusted tool output" — enabling prompt injection, misinformation delivery, and further data exfiltration cascades.

The same cross-instance poisoning applies to terminal_servers.

Impact

Cross-instance cache poisoning: an admin on one instance affects all users of another instance sharing the Redis backend
Data exfiltration: tool call payloads contain chat content and user identity, delivered to the attacker's server
Prompt injection delivery: attacker-returned tool responses enter the victim instance's LLM context as trusted data
Undermines the multi-instance isolation guarantee that REDIS_KEY_PREFIX was introduced to provide
Silent failure mode: no error is raised; the victim instance sees a valid, signed cache entry and has no way to detect it came from a different instance

Preconditions

Multiple Open WebUI instances share a single Redis backend (a supported and documented deployment)
Attacker has admin access on one of the instances (or escalates to admin via any available path)

Severity ?

8.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:44:40Z",
    "nvd_published_at": "2026-05-15T20:16:46Z",
    "severity": "HIGH"
  },
  "details": "# Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning\n\n## Affected Component\n\nTool server and terminal server Redis cache:\n- `backend/open_webui/utils/tools.py` (line 841, tool_servers SET)\n- `backend/open_webui/utils/tools.py` (line 850, tool_servers GET)\n- `backend/open_webui/utils/tools.py` (line 976, terminal_servers SET)\n- `backend/open_webui/utils/tools.py` (line 986, terminal_servers GET)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions since the tool server / terminal server Redis cache was introduced.\n\n## Description\n\nOpen WebUI uses a `REDIS_KEY_PREFIX` (default `open-webui`) to namespace Redis keys, allowing multiple instances to safely share a single Redis backend. Every Redis key in the codebase uses this prefix \u2014 except the `tool_servers` and `terminal_servers` keys in `utils/tools.py`, which use bare key names.\n\nWhen two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to `tool_servers` overwrites the value read by Instance B \u2014 causing Instance B\u0027s users to receive Instance A\u0027s tool server configuration.\n\n```python\n# utils/tools.py \u2014 unprefixed keys (problem)\nawait request.app.state.redis.set(\u0027tool_servers\u0027, ...)        # line 841\njson.loads(await request.app.state.redis.get(\u0027tool_servers\u0027)) # line 850\nawait request.app.state.redis.set(\u0027terminal_servers\u0027, ...)    # line 976\njson.loads(await request.app.state.redis.get(\u0027terminal_servers\u0027))  # line 986\n\n# Every other Redis key in the codebase \u2014 prefixed (correct pattern)\nf\u0027{REDIS_KEY_PREFIX}:auth:token:{jti}:revoked\u0027\nf\u0027{REDIS_KEY_PREFIX}:ratelimit:{email}:{bucket}\u0027\nf\u0027{REDIS_KEY_PREFIX}:tasks:commands\u0027\n```\n\n## Attack Scenario\n\nTwo Open WebUI instances (A and B) share a Redis backend \u2014 a supported deployment for multi-region setups, blue-green deployments, or hot-standby. Both instances have their own admin accounts; the shared Redis was chosen for coordinated session handling, rate limiting, and task management.\n\n1. Attacker is an admin on Instance A (a legitimately provisioned admin, or one that escalated via any available path including the LDAP empty-password or stale-admin-role findings).\n2. Attacker on Instance A configures a tool server pointing to `https://attacker-controlled.example.com/openapi.json`. This triggers `utils/tools.py:841` to write the new tool server list under the bare key `tool_servers`.\n3. Instance B\u0027s users query tools. Instance B reads from `tool_servers` (line 850) \u2014 gets Instance A\u0027s poisoned list, which now includes the attacker\u0027s server alongside or instead of Instance B\u0027s legitimate tool servers.\n4. Instance B\u0027s users invoke tools through the model\u0027s context. The attacker\u0027s server receives tool call payloads containing: chat content, user identity, OAuth tokens scoped to the tool server (if the user has bound their external account), and in-flight conversation context.\n5. The attacker\u0027s server returns arbitrary tool responses, which are fed back into Instance B\u0027s LLM context as \"trusted tool output\" \u2014 enabling prompt injection, misinformation delivery, and further data exfiltration cascades.\n\nThe same cross-instance poisoning applies to `terminal_servers`.\n\n## Impact\n\n- Cross-instance cache poisoning: an admin on one instance affects all users of another instance sharing the Redis backend\n- Data exfiltration: tool call payloads contain chat content and user identity, delivered to the attacker\u0027s server\n- Prompt injection delivery: attacker-returned tool responses enter the victim instance\u0027s LLM context as trusted data\n- Undermines the multi-instance isolation guarantee that `REDIS_KEY_PREFIX` was introduced to provide\n- Silent failure mode: no error is raised; the victim instance sees a valid, signed cache entry and has no way to detect it came from a different instance\n\n## Preconditions\n\n- Multiple Open WebUI instances share a single Redis backend (a supported and documented deployment)\n- Attacker has admin access on one of the instances (or escalates to admin via any available path)",
  "id": "GHSA-3x8w-4f7p-xxc2",
  "modified": "2026-05-15T23:52:27Z",
  "published": "2026-05-08T19:44:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3x8w-4f7p-xxc2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44552"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44552 (GCVE-0-2026-44552)

FKIE_CVE-2026-44552

GHSA-3X8W-4F7P-XXC2

Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Affected Component

Affected Versions

Description

Attack Scenario

Impact

Preconditions

Tags

Sightings

Nomenclature