CVE-2024-8060 — HIGH (CVSS 8.1) AI Security Vulnerability

Q: Is CVE-2024-8060 actively exploited?

No confirmed active exploitation of CVE-2024-8060 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-8060?

1. PATCH: Upgrade open-webui to >= 0.5.17 immediately. No patch, no production use. 2. WORKAROUND (if patching delayed): Disable audio transcription endpoint via reverse proxy rule (block POST /audio/api/v1/transcriptions). 3. NETWORK: Restrict OpenWebUI access to trusted internal networks; do not expose to internet. 4. AUDIT: Review Docker container mounts — avoid mounting host directories into the container; drop root privileges (run as non-root user in Docker). 5. DETECT: Alert on unexpected file modifications inside the OpenWebUI container, especially in /etc/, /app/, or startup scripts. Monitor for new processes spawned from the web process. 6. ROTATE: After patching, rotate all secrets (API keys, DB credentials) accessible from within the container environment.

CISO Take

Any authenticated user on OpenWebUI < 0.5.17 can overwrite arbitrary files inside the Docker container and achieve remote code execution as root. If your org runs OpenWebUI for internal LLM access (e.g., Ollama, local GPT), patch to 0.5.17 immediately — no workaround exists short of disabling audio transcription. Insider threat and compromised user account scenarios make this exploitable with minimal skill.

Risk Assessment

High risk for organizations running OpenWebUI in shared or multi-user environments. CVSS 8.1 reflects real-world severity: network-accessible, low privileges required, no user interaction. EPSS (0.009) is low currently but path traversal + file upload to RCE is a well-understood primitive that lowers the bar significantly. Not in KEV yet but exploitation is straightforward. Docker isolation provides partial blast radius containment, though root-level container compromise is still critical in most deployment models.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	< 0.5.17	`0.5.17`
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

2.1%

chance of exploitation in 30 days

Higher than 84% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A High

Recommended Action

6 steps

PATCH

Upgrade open-webui to >= 0.5.17 immediately. No patch, no production use.
WORKAROUND (if patching delayed): Disable audio transcription endpoint via reverse proxy rule (block POST /audio/api/v1/transcriptions).
NETWORK

Restrict OpenWebUI access to trusted internal networks; do not expose to internet.
AUDIT

Review Docker container mounts — avoid mounting host directories into the container; drop root privileges (run as non-root user in Docker).
DETECT

Alert on unexpected file modifications inside the OpenWebUI container, especially in /etc/, /app/, or startup scripts. Monitor for new processes spawned from the web process.
ROTATE

After patching, rotate all secrets (API keys, DB credentials) accessible from within the container environment.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Framework API AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.2 - Incident management for AI systems A.9.4 - Information security controls for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms for deployment of AI risk treatments

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insecure AI System Components

Frequently Asked Questions

What is CVE-2024-8060?

Any authenticated user on OpenWebUI < 0.5.17 can overwrite arbitrary files inside the Docker container and achieve remote code execution as root. If your org runs OpenWebUI for internal LLM access (e.g., Ollama, local GPT), patch to 0.5.17 immediately — no workaround exists short of disabling audio transcription. Insider threat and compromised user account scenarios make this exploitable with minimal skill.

Is CVE-2024-8060 actively exploited?

No confirmed active exploitation of CVE-2024-8060 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-8060?

1. PATCH: Upgrade open-webui to >= 0.5.17 immediately. No patch, no production use. 2. WORKAROUND (if patching delayed): Disable audio transcription endpoint via reverse proxy rule (block POST /audio/api/v1/transcriptions). 3. NETWORK: Restrict OpenWebUI access to trusted internal networks; do not expose to internet. 4. AUDIT: Review Docker container mounts — avoid mounting host directories into the container; drop root privileges (run as non-root user in Docker). 5. DETECT: Alert on unexpected file modifications inside the OpenWebUI container, especially in /etc/, /app/, or startup scripts. Monitor for new processes spawned from the web process. 6. ROTATE: After patching, rotate all secrets (API keys, DB credentials) accessible from within the container environment.

What systems are affected by CVE-2024-8060?

This vulnerability affects the following AI/ML architecture patterns: LLM serving frontends, self-hosted AI portals, model inference UI layers, internal AI access management platforms.

What is the CVSS score for CVE-2024-8060?

CVE-2024-8060 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 2.11%.

Technical Details

NVD Description

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user.

Exploitation Scenario

An attacker with a valid OpenWebUI account (insider, compromised credential, or low-privilege trial user) crafts a multipart POST request to /audio/api/v1/transcriptions. They set the filename parameter to a path traversal payload such as ../../etc/cron.d/backdoor or ../../app/main.py, and set file.content_type to bypass content validation. The server writes the attacker-controlled file to the resolved path inside the Docker container. By overwriting a cron job, startup script, or Python source file loaded at runtime, the attacker achieves code execution as root on the next trigger event (cron tick, app restart, or hot-reload). From there, they exfiltrate LLM API keys, user conversation data, and model configurations, or establish a reverse shell.