CVE-2026-0766

Source
https://cve.org/CVERecord?id=CVE-2026-0766
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0766.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-0766
Published
2026-01-23T03:28:35.773Z
Modified
2026-07-15T01:49:01.517882113Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability
Details

Open WebUI loadtoolmodulebyid Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability.

The specific flaw exists within the loadtoolmodulebyid function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/0xxx/CVE-2026-0766.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "0.6.32"
                },
                {
                    "last_affected": "0.6.32"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "zdi"
}
References

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type
GIT
Repo
https://github.com/open-webui/open-webui
Events
Database specific
{
    "cpe": "cpe:2.3:a:openwebui:open_webui:0.6.32:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.6.32"
        },
        {
            "last_affected": "0.6.32"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

0.*
0.6.32
v0.*
v0.6.32

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0766.json"