Open WebUI Missing Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Remote Code Execution

A vulnerability in Open WebUI versions prior to 0.9.5 allows users with a 'write' access grant on tools to execute arbitrary server-side code as root. This issue arises because the tool update endpoint (POST /api/v1/tools/id/{id}/update) lacks the necessary 'workspace.tools' permission check, which is enforced on the tool creation endpoint. As a result, a user who has been denied tool management capabilities and is considered untrusted for code execution can bypass the security boundary, replace a tool's Python content, and trigger execution. The vulnerability is rooted in asymmetric authorization checks between the create and update endpoints for tools.

Impact

Exploiting this vulnerability allows for unauthorized code execution on the server, with the executed code running as the root user. This could lead to reading or modifying sensitive environment variables, accessing the application database, reading arbitrary files from the container filesystem, and making outbound network requests to internal services.

Reproduction

To reproduce this vulnerability, first create two non-admin users: one trusted (Alice) and one untrusted (Bob). Enable the 'workspace.tools' permission for Alice, who can then create a tool and grant 'write' access to Bob. After revoking the 'workspace.tools' permission globally, Bob can exploit the vulnerability by updating the tool's content with malicious Python code, which is executed on the server.

Remediation

The vulnerability can be addressed by adding the 'workspace.tools' permission check to the tool update endpoint, ensuring it matches the authorization requirements of the create endpoint.