Summary
Broken Access Control in Tool Valves
Open WebUI supports function calling through "Tools". Function calling allows an LLM to reliably connect to external tools and interact with external APIs. Exemplary use-cases include connecting to an internal knowledge base, retrieving emails from an exchange server, or retrieving order data from a shop backend.
These interactions often require the LLM to authenticate against backend services using API keys specifically created for a technical (Open WebUI) user.
To simplify configuration and secret handling, Open WebUI implements "Valves" and "UserValves" that allow users and administrators to input dynamic details like API keys or configuration options.
Valves have the following distinction:
- Valves: Configurable by admins only.
- UserValves: Configurable by any user.
The Tool Valves endpoint does not properly restrict read access to the valve. This allows a low privileged user to access all data contained within the valve. In the worst case, this gives a low privileged "Member" user access to sensitive Tool data, such as API keys for third-party systems.
Details
1) Broken Access Control in Tool Valves
The following steps can be performed to reproduce the vulnerability.
1. An administrator creates an Open WebUI Tool with a configured Valve.
2. The administrator configures the API key within the Tool Valve.
3. A user with at least "Member" privileges logs into Open WebUI.
The following screenshot shows the user overview of the test instance:
The following screenshot illustrates that the "lowpriv" user doesn't have access to the tool:
4. The "lowpriv" user uses their Authorization token to retrieve the API key from the Tool Valve.
In order to do so, the attacker needs to know the Tool ID. However, as this ID is always the same for imported tools, and the tool IDs are concatenated from the tool name, guessing tool IDs is trivial.
As seen in the following code snippet, the vulnerability is present because the Tool Valves route does not check if the requesting user has administrative permissions (Line 515).
Source: backend/open_webui/routers/tools.py L513–L531
PoC
You can find the detailed PoC steps in the Details section.
To execute the exploit:
- Login as a verified user and copy the authorization token.
- Access the configured valve of any existing tool with the following request (please mind the placeholders):
GET /api/v1/tools/id/<tool_id>/valves HTTP/1.1
Host: <your_test_host>
Authorization: Bearer <authorization_token_from_step_1>
Additional Remarks
Additional remarks regarding the CVSS Vector String:
| Component | Value | Rationale |
|---|---|---|
| AC | L | Due to the requirement of a "Member" account |
| C | H | Sensitive data, such as API Keys for backend systems, is disclosed |
| S | C | Exploitation of this vulnerability grants access to third-party systems |
AI report transparency: AI was used for refinement of this advisory text.
Impact
This information disclosure vulnerability allows low privileged users to access sensitive values stored in Tool Valves. Anyone using Open WebUI Tools with a configured Valve is affected. In the worst case, exploitation allows an attacker to access third-party systems within the context of the configured Open WebUI technical user.
CVE-2026-34222 has a CVSS score of 7.7 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.8.11); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-34222? CVE-2026-34222 is a high-severity security vulnerability in open-webui (pip), affecting versions < 0.8.11. It is fixed in 0.8.11.
- How severe is CVE-2026-34222? CVE-2026-34222 has a CVSS score of 7.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of open-webui are affected by CVE-2026-34222? open-webui (pip) versions < 0.8.11 is affected.
- Is there a fix for CVE-2026-34222? Yes. CVE-2026-34222 is fixed in 0.8.11. Upgrade to this version or later.
- Is CVE-2026-34222 exploitable, and should I be worried? Whether CVE-2026-34222 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-34222 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-34222? Upgrade
open-webuito 0.8.11 or later.