mirror of
https://github.com/open-webui/docs.git
synced 2026-03-27 13:28:37 +07:00
SECURITY WARNINGS tools and plugins
This commit is contained in:
DrMelone
@@ -53,9 +53,9 @@ Integrating Pipelines with any OpenAI API-compatible UI client is simple. Launch
|
||||
|
||||
## ⚡ Quick Start with Docker
|
||||
|
||||
:::warning
|
||||
:::danger ⚠️ Security Warning
|
||||
|
||||
Pipelines are a plugin system with arbitrary code execution — **don't fetch random pipelines from sources you don't trust**.
|
||||
Pipelines are a plugin system with arbitrary code execution — **don't fetch random pipelines from sources you don't trust**. A malicious Pipeline could access your file system, exfiltrate data, mine cryptocurrency, or compromise your system. Always review Pipeline source code before installing. See the [Security Policy](/security) for more details.
|
||||
|
||||
:::
|
||||
|
||||
|
||||
@@ -11,6 +11,12 @@ Unlike external tools that may require complex integrations, **Functions are bui
|
||||
|
||||
Think of Functions as **modular building blocks** that let you enhance how the WebUI works, tailored exactly to what you need. They’re lightweight, highly customizable, and written in **pure Python**, so you have the freedom to create anything—from new AI-powered workflows to integrations with anything you use, like Google Search or Home Assistant.
|
||||
|
||||
:::danger ⚠️ Security Warning
|
||||
|
||||
**Functions execute arbitrary Python code on your server.** Only install Functions from trusted sources. Before importing any Function, review its source code to understand what it does. A malicious Function could access your file system, exfiltrate data, or compromise your system. See the [Security Policy](/security) for more details.
|
||||
|
||||
:::
|
||||
|
||||
---
|
||||
|
||||
## 🏗️ Types of Functions
|
||||
|
||||
@@ -17,6 +17,28 @@ Getting started with Tools and Functions is easy because everything’s already
|
||||
|
||||
## What are "Tools" and "Functions"?
|
||||
|
||||
---
|
||||
|
||||
:::danger ⚠️ Critical Security Warning
|
||||
|
||||
**Tools, Functions, Pipes, Filters, and Pipelines execute arbitrary Python code on your server.** This is by design—it's what makes them powerful. However, this also means:
|
||||
|
||||
1. **Only install from trusted sources.** Never import Tools or Functions from unknown or untrusted sources. Malicious code can compromise your entire system.
|
||||
|
||||
2. **Review code before importing.** Before installing any community Tool or Function, review its source code. If you don't understand what it does, don't install it.
|
||||
|
||||
3. **Protect your data directory.** The `data` directory (mounted at `/app/backend/data` in Docker) contains your database, configurations, and cached Tools/Functions. If an attacker gains write access to this directory, they can inject malicious code that will execute on your server.
|
||||
|
||||
4. **Restrict Workspace access.** Only trusted administrators should have permission to create, import, or modify Tools and Functions. Regular users should **not** have Workspace access unless explicitly required.
|
||||
|
||||
5. **Audit installed plugins regularly.** Periodically review the Tools and Functions installed in your instance via **Workspace → Tools** and **Admin Panel → Functions**.
|
||||
|
||||
**What could go wrong?** A malicious Tool or Function could exfiltrate data, install malware, mine cryptocurrency, pivot to other systems on your network, or corrupt your instance.
|
||||
|
||||
:::
|
||||
|
||||
---
|
||||
|
||||
Let's start by thinking of **Open WebUI** as a "base" software that can do many tasks related to using Large Language Models (LLMs). But sometimes, you need extra features or abilities that don't come *out of the box*—this is where **tools** and **functions** come into play.
|
||||
|
||||
### Tools
|
||||
|
||||
@@ -85,6 +85,50 @@ If your concern does not meet the vulnerability requirements outlined above, is
|
||||
|
||||
Examples of non-vulnerability, still security-related concerns include suggestions for better default configuration values, security hardening recommendations, deployment best practices guidance, unclear configuration instructions, need for additional security documentation, feature requests for optional security enhancements (2FA, audit logging, etc.), and general security questions about production deployment. Please use the adequate channel for your specific issue.
|
||||
|
||||
## Tools, Functions, and Pipelines Security
|
||||
|
||||
Open WebUI provides powerful extensibility through **Tools**, **Functions** (including Pipes, Filters, and Actions), and **Pipelines**. These features allow you to extend Open WebUI's capabilities with custom Python code. However, this power comes with security responsibilities.
|
||||
|
||||
:::warning
|
||||
|
||||
**Tools, Functions, and Pipelines execute arbitrary Python code on your server.** This is intentional—it's what makes them powerful. However, this means they have the same level of access as the Open WebUI backend process itself.
|
||||
|
||||
:::
|
||||
|
||||
### Security Implications
|
||||
|
||||
When you install a Tool, Function, or Pipeline, you are granting it the ability to:
|
||||
|
||||
- **Access the file system** — read or write any files the backend process can access
|
||||
- **Make network requests** — connect to external services, potentially exfiltrating data
|
||||
- **Execute system commands** — run shell commands via subprocess
|
||||
- **Access environment variables** — read API keys, secrets, and configuration
|
||||
- **Modify the database** — access or alter stored data
|
||||
- **Consume compute resources** — run CPU-intensive operations
|
||||
|
||||
### Best Practices
|
||||
|
||||
| Practice | Description |
|
||||
|----------|-------------|
|
||||
| **Only install from trusted sources** | Only use Tools/Functions from the official community library or sources you trust |
|
||||
| **Review code before installing** | Read and understand what a Tool/Function does before importing it |
|
||||
| **Restrict Workspace access** | Only grant Workspace permissions to trusted administrators |
|
||||
| **Audit installed plugins** | Regularly review installed Tools (Workspace → Tools) and Functions (Admin Panel → Functions) |
|
||||
| **Protect your data directory** | The `/app/backend/data` directory contains your database and cached plugins—protect it from unauthorized access |
|
||||
| **Monitor resource usage** | Watch for unexpected CPU spikes that could indicate cryptomining or other abuse |
|
||||
| **Use official Docker images** | Only pull from `ghcr.io/open-webui/open-webui`—unofficial images may be compromised |
|
||||
|
||||
### What Is NOT a Vulnerability
|
||||
|
||||
The following scenarios are **not** considered vulnerabilities because they require administrator action:
|
||||
|
||||
- An admin installing a malicious Tool or Function
|
||||
- An admin granting Workspace access to an untrusted user
|
||||
- An admin importing code from an untrusted source
|
||||
- An attacker with write access to the data volume injecting malicious plugins
|
||||
|
||||
These scenarios represent **admin negligence** or **environment compromise**, not vulnerabilities in Open WebUI itself. See [Rule #10 in our Security Policy](https://github.com/open-webui/open-webui/security) for details.
|
||||
|
||||
## Product Security Process
|
||||
|
||||
- Internal and periodic external reviews of our architecture and pipelines
|
||||
|
||||
Reference in New Issue
Block a user