AI Threat Alert

CVE-2024-8060: OpenWebUI: path traversal RCE via audio upload API

GHSA-ff5c-56m7-vc75 HIGH CISA: TRACK*
Published March 20, 2025
CISO Take

Any authenticated user on OpenWebUI < 0.5.17 can overwrite arbitrary files inside the Docker container and achieve remote code execution as root. If your org runs OpenWebUI for internal LLM access (e.g., Ollama, local GPT), patch to 0.5.17 immediately — no workaround exists short of disabling audio transcription. Insider threat and compromised user account scenarios make this exploitable with minimal skill.

What is the risk?

High risk for organizations running OpenWebUI in shared or multi-user environments. CVSS 8.1 reflects real-world severity: network-accessible, low privileges required, no user interaction. EPSS (0.009) is low currently but path traversal + file upload to RCE is a well-understood primitive that lowers the bar significantly. Not in KEV yet but exploitation is straightforward. Docker isolation provides partial blast radius containment, though root-level container compromise is still critical in most deployment models.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip < 0.5.17 0.5.17
142.4K Pushed 3d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 54% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade open-webui to >= 0.5.17 immediately. No patch, no production use.

  2. WORKAROUND (if patching delayed): Disable audio transcription endpoint via reverse proxy rule (block POST /audio/api/v1/transcriptions).

  3. NETWORK

    Restrict OpenWebUI access to trusted internal networks; do not expose to internet.

  4. AUDIT

    Review Docker container mounts — avoid mounting host directories into the container; drop root privileges (run as non-root user in Docker).

  5. DETECT

    Alert on unexpected file modifications inside the OpenWebUI container, especially in /etc/, /app/, or startup scripts. Monitor for new processes spawned from the web process.

  6. ROTATE

    After patching, rotate all secrets (API keys, DB credentials) accessible from within the container environment.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework API AML.T0012 AML.T0025 AML.T0049 AML.T0072 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.2 - Incident management for AI systems A.9.4 - Information security controls for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms for deployment of AI risk treatments
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Insecure AI System Components

Frequently Asked Questions

What is CVE-2024-8060?

Any authenticated user on OpenWebUI < 0.5.17 can overwrite arbitrary files inside the Docker container and achieve remote code execution as root. If your org runs OpenWebUI for internal LLM access (e.g., Ollama, local GPT), patch to 0.5.17 immediately — no workaround exists short of disabling audio transcription. Insider threat and compromised user account scenarios make this exploitable with minimal skill.

Is CVE-2024-8060 actively exploited?

No confirmed active exploitation of CVE-2024-8060 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-8060?

1. PATCH: Upgrade open-webui to >= 0.5.17 immediately. No patch, no production use. 2. WORKAROUND (if patching delayed): Disable audio transcription endpoint via reverse proxy rule (block POST /audio/api/v1/transcriptions). 3. NETWORK: Restrict OpenWebUI access to trusted internal networks; do not expose to internet. 4. AUDIT: Review Docker container mounts — avoid mounting host directories into the container; drop root privileges (run as non-root user in Docker). 5. DETECT: Alert on unexpected file modifications inside the OpenWebUI container, especially in /etc/, /app/, or startup scripts. Monitor for new processes spawned from the web process. 6. ROTATE: After patching, rotate all secrets (API keys, DB credentials) accessible from within the container environment.

What systems are affected by CVE-2024-8060?

This vulnerability affects the following AI/ML architecture patterns: LLM serving frontends, self-hosted AI portals, model inference UI layers, internal AI access management platforms.

What is the CVSS score for CVE-2024-8060?

CVE-2024-8060 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.88%.

What is the AI security impact?

Affected AI Architectures

LLM serving frontendsself-hosted AI portalsmodel inference UI layersinternal AI access management platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0072 Reverse Shell
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.10.2, A.9.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user.

Exploitation Scenario

An attacker with a valid OpenWebUI account (insider, compromised credential, or low-privilege trial user) crafts a multipart POST request to /audio/api/v1/transcriptions. They set the filename parameter to a path traversal payload such as ../../etc/cron.d/backdoor or ../../app/main.py, and set file.content_type to bypass content validation. The server writes the attacker-controlled file to the resolved path inside the Docker container. By overwriting a cron job, startup script, or Python source file loaded at runtime, the attacker achieves code execution as root on the next trigger event (cron tick, app restart, or hot-reload). From there, they exfiltrate LLM API keys, user conversation data, and model configurations, or establish a reverse shell.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
March 20, 2025
Last Modified
October 15, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed