Primary

Context

Open WebUI Command Injection Remote Code Execution Vulnerability

Vulnerability

A command injection vulnerability allowing remote code execution has been identified in Open WebUI. This issue arises in the load_tool_module_by_id function, where user-supplied strings are not properly validated before being used to execute Python code. As a result, authenticated attackers can exploit this vulnerability to execute arbitrary code in the context of the service account.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system, with the executed code running under the service account's privileges.

Remediation

No specific patch is available. It is recommended to restrict interaction with the product.

Added: Jan 23, 2026, 4:36 AM

Updated: Jan 23, 2026, 4:36 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

3.3

remediation

7.9

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

3.3

remediation

7.9

relevance

2.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open WebUI Command Injection Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Open WebUI

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating