CVE-2026-45395: Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

The tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities ( and who the administrator considers untrusted for code execution ) to replace a tool’s server-side Python content and trigger execution, bypassing the intended workspace.tools security boundary.

Open WebUI’s security policy correctly states that workspace.tools is the trust boundary for code execution: “Granting a user the ability to create Tools is equivalent to giving them shell access to the server.” This vulnerability breaks that boundary. A write access grant on a single tool is sufficient to bypass workspace.tools entirely.

This is not a report about exec() being unsandboxed (that is acknowledged as intended behavior). This is a report about a missing authorization check that allows an untrusted user to reach the exec() sink that should be gated behind workspace.tools.