Open WebUI Vulnerability: Redis Key Collision Exposes Multi-Instance Deployments
A critical vulnerability, CVE-2026-44552, has been identified in Open WebUI, a self-hosted AI platform. The National Vulnerability Database reports that prior to version 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py lacked proper prefixing. This design flaw creates a collision risk when multiple Open WebUI instances share a single Redis database—a common and supported deployment pattern for high availability, multi-region setups, or cluster topologies.
The impact is significant: an administrator configuring tool servers on one Open WebUI instance could inadvertently overwrite the configuration for another instance. This means users on a separate instance would receive the tool server configuration intended for the first, leading to potential misconfigurations, unauthorized access to resources, or disruption of services. The National Vulnerability Database assigns this a CVSS score of 8.7 (High), highlighting the severity of this cross-instance configuration overwrite.
Defenders must recognize this as a critical control plane integrity issue. The vulnerability, categorized as CWE-668 (Exposure of Information Through System Log), underscores the risks inherent in shared backend services when proper isolation is not enforced at the application layer. The fix is available in Open WebUI version 0.9.0, which addresses the unprefixed key issue.
What This Means For You
- If your organization uses Open WebUI in a multi-instance, shared Redis deployment, you are exposed to CVE-2026-44552. Immediately upgrade all Open WebUI instances to version 0.9.0 or later to prevent configuration collisions and potential cross-instance control plane compromise. Review your Redis key management strategy for other shared services.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44552 - Open WebUI Redis Key Collision
title: CVE-2026-44552 - Open WebUI Redis Key Collision
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects the specific API endpoint and method used to write to the 'tool_servers' key in Open WebUI, which can lead to key collisions in shared Redis instances as described in CVE-2026-44552. This allows an attacker to potentially overwrite configurations for other instances sharing the same Redis database.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44552/
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri:
- '/api/settings/tool_servers'
cs-method:
- 'PUT'
sc-status:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44552 | Misconfiguration | Open WebUI versions prior to 0.9.0 |
| CVE-2026-44552 | Information Disclosure | Open WebUI shared Redis database deployment with unprefixed keys (tool_servers, terminal_servers) in utils/tools.py |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE
CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial...
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...