CVE-2026-0766

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-0766

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0766.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-0766

Published

2026-01-23T04:16:03.527Z

Modified

2026-03-13T04:07:33.412155Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Open WebUI loadtoolmodulebyid Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability.

The specific flaw exists within the loadtoolmodulebyid function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257.

References

https://www.zerodayinitiative.com/advisories/ZDI-26-032/

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type

GIT

Repo

https://github.com/open-webui/open-webui

Events

Introduced

Last affected

37d1c85c996e1bdcd505e1e6d62b2f17acd8df23

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.6.32"
        }
    ]
}

Affected versions

v0.*

v0.1.102

v0.1.103

v0.1.104

v0.1.105

v0.1.106

v0.1.107

v0.1.108

v0.1.109

v0.1.110

v0.1.111

v0.1.112

v0.1.113

v0.1.114

v0.1.115

v0.1.116

v0.1.117

v0.1.118

v0.1.119

v0.1.120

v0.1.121

v0.1.122

v0.1.123

v0.1.124

v0.1.125

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.3.0

v0.3.1

v0.3.10

v0.3.11

v0.3.12

v0.3.13

v0.3.14

v0.3.15

v0.3.16

v0.3.17

v0.3.18

v0.3.19

v0.3.2

v0.3.20

v0.3.21

v0.3.22

v0.3.23

v0.3.24

v0.3.25

v0.3.26

v0.3.27

v0.3.28

v0.3.29

v0.3.3

v0.3.30

v0.3.31

v0.3.32

v0.3.33

v0.3.34

v0.3.35

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.5.0

v0.5.1

v0.5.10

v0.5.11

v0.5.12

v0.5.13

v0.5.14

v0.5.15

v0.5.16

v0.5.17

v0.5.18

v0.5.19

v0.5.2

v0.5.20

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.10

v0.6.11

v0.6.12

v0.6.13

v0.6.14

v0.6.15

v0.6.16

v0.6.17

v0.6.18

v0.6.19

v0.6.2

v0.6.20

v0.6.21

v0.6.22

v0.6.23

v0.6.24

v0.6.25

v0.6.26

v0.6.27

v0.6.28

v0.6.29

v0.6.3

v0.6.30

v0.6.31

v0.6.32

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.6.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0766.json"