CVE-2026-34222 HIGH

CVE-2026-34222: Open WebUI has Broken Access Control in Tool Valves

Vendor Open-Webui

Product open-webui

Weakness CWE-285

Published April 1, 2026

Last update April 4, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.

Key dates

02Disclosure timeline

April 1, 2026 CVE published

April 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34222

Related vulnerabilities

04Related CVE

CVE-2024-2557 kishor-23 Food Waste Management System admin.php improper authorization CVE-2023-33189 Incorrect Authorization with specially crafted requests CVE-2025-43585 Adobe Commerce | Improper Authorization (CWE-285) CVE-2024-30061 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability CVE-2025-6735 juzaweb CMS Import Page imports improper authorization