CVE-2026-34222: Open WebUI: access control bypass leaks Tool Valve API keys

GHSA-7429-hxcv-268m HIGH PoC AVAILABLE CISA: TRACK*
Published April 1, 2026
CISO Take

Any authenticated Open WebUI user can silently extract admin-configured API keys from Tool Valves — credentials that likely grant access to email servers, knowledge bases, or other backend systems. Upgrade to v0.8.11 immediately and rotate all API keys stored in Tool Valves. If you run Open WebUI with multi-user access and external tool integrations, assume credential compromise until rotated.

What is the risk?

High risk for any multi-user Open WebUI deployment using Tools with configured Valves. Exploitability is trivial: requires only a valid low-privilege account and a predictable tool ID (derived from the tool name). No special skills, no brute force, no admin interaction — just a single authenticated HTTP GET. The scope extends beyond Open WebUI itself since extracted API keys enable lateral movement into third-party systems (email, knowledge bases, shop backends). CVSS 7.7 reflects the chained impact accurately.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip < 0.8.11 0.8.11
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
5.3%
chance of exploitation in 30 days
Higher than 92% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

5 steps
  1. Patch immediately: upgrade to Open WebUI v0.8.11 which adds authorization checks to the Tool Valves endpoint.

  2. Rotate all API keys and secrets stored in Tool Valves — treat them as compromised if any non-admin users had access to the instance.

  3. If patching is not immediate, restrict Open WebUI access to trusted admins only or take the instance offline.

  4. Audit access logs for GET requests to /api/v1/tools/id/*/valves from non-admin accounts.

  5. Implement least-privilege scopes for API keys stored in Valves — use service accounts with minimal permissions specific to the Open WebUI use case.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - Information security in AI system development A.9.4 - System and application access control
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain treatment of identified risks
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34222?

Any authenticated Open WebUI user can silently extract admin-configured API keys from Tool Valves — credentials that likely grant access to email servers, knowledge bases, or other backend systems. Upgrade to v0.8.11 immediately and rotate all API keys stored in Tool Valves. If you run Open WebUI with multi-user access and external tool integrations, assume credential compromise until rotated.

Is CVE-2026-34222 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-34222, increasing the risk of exploitation.

How to fix CVE-2026-34222?

1. Patch immediately: upgrade to Open WebUI v0.8.11 which adds authorization checks to the Tool Valves endpoint. 2. Rotate all API keys and secrets stored in Tool Valves — treat them as compromised if any non-admin users had access to the instance. 3. If patching is not immediate, restrict Open WebUI access to trusted admins only or take the instance offline. 4. Audit access logs for GET requests to /api/v1/tools/id/*/valves from non-admin accounts. 5. Implement least-privilege scopes for API keys stored in Valves — use service accounts with minimal permissions specific to the Open WebUI use case.

What systems are affected by CVE-2026-34222?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM tool integrations, RAG pipelines, AI assistants with external API access, enterprise LLM gateways.

What is the CVSS score for CVE-2026-34222?

CVE-2026-34222 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 5.27%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM tool integrationsRAG pipelinesAI assistants with external API accessenterprise LLM gateways

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0083 Credentials from AI Agent Configuration
AML.T0084.001 Tool Definitions
AML.T0098 AI Agent Tool Credential Harvesting

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.3, A.9.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

# Summary ## Broken Access Control in Tool Valves Open WebUI supports function calling through "Tools". Function calling allows an LLM to reliably connect to external tools and interact with external APIs. Exemplary use-cases include connecting to an internal knowledge base, retrieving emails from an exchange server, or retrieving order data from a shop backend. These interactions often require the LLM to authenticate against backend services using API keys specifically created for a technical (Open WebUI) user. To simplify configuration and secret handling, Open WebUI implements "Valves" and "UserValves" that allow users and administrators to input dynamic details like API keys or configuration options. Valves have the following distinction: - **Valves:** Configurable by admins only. - **UserValves:** Configurable by any user. The Tool Valves endpoint does not properly restrict read access to the valve. This allows a low privileged user to access all data contained within the valve. In the worst case, this gives a low privileged "Member" user access to sensitive Tool data, such as API keys for third-party systems. --- # Details ## 1) Broken Access Control in Tool Valves The following steps can be performed to reproduce the vulnerability. **1.** An administrator creates an Open WebUI Tool with a configured Valve. <img width="1038" height="597" alt="image" src="https://github.com/user-attachments/assets/f79bdde9-18fa-49e4-a6c3-5077731f0815" /> **2.** The administrator configures the API key within the Tool Valve. <img width="1039" height="446" alt="image" src="https://github.com/user-attachments/assets/d88d06b9-fc21-45e5-8142-d9f874601f87" /> **3.** A user with at least "Member" privileges logs into Open WebUI. The following screenshot shows the user overview of the test instance: <img width="908" height="354" alt="image" src="https://github.com/user-attachments/assets/40025151-418d-4912-8400-1e1a6e5cd4e4" /> The following screenshot illustrates that the "lowpriv" user doesn't have access to the tool: <img width="815" height="433" alt="image" src="https://github.com/user-attachments/assets/ec06b07f-9735-4728-9dce-d97d721051b8" /> **4.** The "lowpriv" user uses their Authorization token to retrieve the API key from the Tool Valve. In order to do so, the attacker needs to know the Tool ID. However, as this ID is always the same for imported tools, and the tool IDs are concatenated from the tool name, guessing tool IDs is trivial. <img width="754" height="208" alt="image" src="https://github.com/user-attachments/assets/61c80cac-25c8-4730-8156-90869801389f" /> As seen in the following code snippet, the vulnerability is present because the Tool Valves route does not check if the requesting user has administrative permissions (Line 515). [Source: `backend/open_webui/routers/tools.py` L513–L531](https://github.com/open-webui/open-webui/blob/2b26355002064228e9b671339f8f3fb9d1fafa73/backend/open_webui/routers/tools.py#L513-L531) --- # PoC You can find the detailed PoC steps in the [Details](#details) section. To execute the exploit: 1. Login as a verified user and copy the authorization token. 2. Access the configured valve of any existing tool with the following request (please mind the placeholders): ```http GET /api/v1/tools/id/<tool_id>/valves HTTP/1.1 Host: <your_test_host> Authorization: Bearer <authorization_token_from_step_1> ``` --- # Impact This information disclosure vulnerability allows low privileged users to access sensitive values stored in Tool Valves. Anyone using Open WebUI Tools with a configured Valve is affected. In the worst case, exploitation allows an attacker to access third-party systems within the context of the configured Open WebUI technical user. --- # Additional Remarks Additional remarks regarding the CVSS Vector String: | Component | Value | Rationale | |-----------|-------|-----------| | AC | L | Due to the requirement of a "Member" account | | C | H | Sensitive data, such as API Keys for backend systems, is disclosed | | S | C | Exploitation of this vulnerability grants access to third-party systems | --- > **AI report transparency:** AI was used for refinement of this advisory text.

Exploitation Scenario

An attacker obtains a low-privilege 'Member' account on an Open WebUI instance — either through credential stuffing, phishing, or by registering if open registration is enabled. They enumerate tool IDs by guessing predictable names (e.g., 'email-connector', 'sharepoint-search', 'crm-lookup') or by observing tool names visible in the UI. A single authenticated GET to /api/v1/tools/id/<tool_id>/valves returns the admin-configured API keys in plaintext. The attacker then uses those keys to access the Exchange server, SharePoint, or other backend system as the Open WebUI service account — potentially exfiltrating emails, documents, or customer data without triggering any Open WebUI audit event.

Weaknesses (CWE)

CWE-285 — Improper Authorization: The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Timeline

Published
April 1, 2026
Last Modified
April 1, 2026
First Seen
April 2, 2026

Related Vulnerabilities