Open WebUI Chat Completion API Tool Restriction Bypass Vulnerability

A vulnerability exists in Open WebUI versions prior to 0.8.6 within the chat completion API. This issue allows users to bypass tool restrictions, potentially leading to unauthorized actions or access. The vulnerability arises because the API does not verify whether a user has permission to use specific tools. As a result, users can invoke any server tool by providing the appropriate tool_id or tool_servers parameters. Furthermore, the authentication token stored on the server is used when invoking the tool, granting it server privileges.

Impact

Exploitation of this vulnerability allows users to invoke restricted tools via the chat completion API, bypassing established access controls.

Reproduction

To reproduce this vulnerability, create an admin user and an external tool through the admin settings, ensuring the tool is set to 'MCP Streamable HTTP' and is marked private. Then, create a low-privilege user with an enabled API key. Using the chat completion API, the low-privilege user can request the restricted tool by its ID, effectively bypassing the visibility settings.

Remediation

Users can update to Open WebUI version 0.8.6 or later, where this vulnerability has been fixed.