Skip to content

Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

High severity GitHub Reviewed Published May 5, 2026 in open-webui/open-webui • Updated May 15, 2026

Package

pip open-webui (pip)

Affected versions

<= 0.8.12

Patched versions

0.9.0

Description

Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Affected Component

Tool server and terminal server Redis cache:

  • backend/open_webui/utils/tools.py (line 841, tool_servers SET)
  • backend/open_webui/utils/tools.py (line 850, tool_servers GET)
  • backend/open_webui/utils/tools.py (line 976, terminal_servers SET)
  • backend/open_webui/utils/tools.py (line 986, terminal_servers GET)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions since the tool server / terminal server Redis cache was introduced.

Description

Open WebUI uses a REDIS_KEY_PREFIX (default open-webui) to namespace Redis keys, allowing multiple instances to safely share a single Redis backend. Every Redis key in the codebase uses this prefix — except the tool_servers and terminal_servers keys in utils/tools.py, which use bare key names.

When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern, e.g., for multi-region deployments, blue-green setups, or cluster topologies), the unprefixed keys collide. An admin on Instance A writing to tool_servers overwrites the value read by Instance B — causing Instance B's users to receive Instance A's tool server configuration.

# utils/tools.py — unprefixed keys (problem)
await request.app.state.redis.set('tool_servers', ...)        # line 841
json.loads(await request.app.state.redis.get('tool_servers')) # line 850
await request.app.state.redis.set('terminal_servers', ...)    # line 976
json.loads(await request.app.state.redis.get('terminal_servers'))  # line 986

# Every other Redis key in the codebase — prefixed (correct pattern)
f'{REDIS_KEY_PREFIX}:auth:token:{jti}:revoked'
f'{REDIS_KEY_PREFIX}:ratelimit:{email}:{bucket}'
f'{REDIS_KEY_PREFIX}:tasks:commands'

Attack Scenario

Two Open WebUI instances (A and B) share a Redis backend — a supported deployment for multi-region setups, blue-green deployments, or hot-standby. Both instances have their own admin accounts; the shared Redis was chosen for coordinated session handling, rate limiting, and task management.

  1. Attacker is an admin on Instance A (a legitimately provisioned admin, or one that escalated via any available path including the LDAP empty-password or stale-admin-role findings).
  2. Attacker on Instance A configures a tool server pointing to https://attacker-controlled.example.com/openapi.json. This triggers utils/tools.py:841 to write the new tool server list under the bare key tool_servers.
  3. Instance B's users query tools. Instance B reads from tool_servers (line 850) — gets Instance A's poisoned list, which now includes the attacker's server alongside or instead of Instance B's legitimate tool servers.
  4. Instance B's users invoke tools through the model's context. The attacker's server receives tool call payloads containing: chat content, user identity, OAuth tokens scoped to the tool server (if the user has bound their external account), and in-flight conversation context.
  5. The attacker's server returns arbitrary tool responses, which are fed back into Instance B's LLM context as "trusted tool output" — enabling prompt injection, misinformation delivery, and further data exfiltration cascades.

The same cross-instance poisoning applies to terminal_servers.

Impact

  • Cross-instance cache poisoning: an admin on one instance affects all users of another instance sharing the Redis backend
  • Data exfiltration: tool call payloads contain chat content and user identity, delivered to the attacker's server
  • Prompt injection delivery: attacker-returned tool responses enter the victim instance's LLM context as trusted data
  • Undermines the multi-instance isolation guarantee that REDIS_KEY_PREFIX was introduced to provide
  • Silent failure mode: no error is raised; the victim instance sees a valid, signed cache entry and has no way to detect it came from a different instance

Preconditions

  • Multiple Open WebUI instances share a single Redis backend (a supported and documented deployment)
  • Attacker has admin access on one of the instances (or escalates to admin via any available path)

References

@doge-woof doge-woof published to open-webui/open-webui May 5, 2026
Published to the GitHub Advisory Database May 8, 2026
Reviewed May 8, 2026
Published by the National Vulnerability Database May 15, 2026
Last updated May 15, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(22nd percentile)

Weaknesses

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Learn more on MITRE.

CVE ID

CVE-2026-44552

GHSA ID

GHSA-3x8w-4f7p-xxc2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.