CVE-2026-45672: open-webui: code exec gate bypass via API endpoint

GHSA-482j-2pq6-q5w4 HIGH PoC AVAILABLE CISA: ATTEND
Published May 14, 2026
CISO Take

Open WebUI's code execution feature gate is broken: any authenticated user can execute arbitrary Python code in the Jupyter container by calling the API directly, even when the admin has explicitly set ENABLE_CODE_EXECUTION=false, because the endpoint never checks the flag before dispatching to Jupyter. The vulnerability scores CVSS 8.8 and requires only a valid session token and a single HTTP request — no elevated privileges, no special tooling — making it trivially exploitable by any user on the instance, including trial accounts or compromised employees. The Jupyter container's Docker internal network access turns this from an isolated code execution bug into a full SSRF vector against databases, model servers, and secrets stored in environment variables, all while the admin dashboard continues displaying the control as disabled. Upgrade to open-webui >= v0.8.12 immediately; the only effective workaround short of patching is to remove Jupyter integration or block POST requests to /api/v1/utils/code/execute at the network layer.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.8 with network-accessible attack vector, low complexity, and only requiring standard authenticated access creates a broad, easily exploitable attack surface. The critical aggravating factor is that the admin security control appears enforced but is silently ignored — organizations that audited their configuration and disabled code execution operate under a false sense of security. With 91 prior CVEs in the same package, the codebase has a significant vulnerability history. The Jupyter container's internal Docker network access substantially amplifies blast radius beyond the Open WebUI host to all co-located infrastructure.

How does the attack unfold?

Initial Access
Attacker authenticates to Open WebUI using any valid user account — including low-privilege, trial, or compromised accounts — to obtain a Bearer token.
AML.T0012
Feature Gate Bypass
Attacker sends a direct POST to /api/v1/utils/code/execute with their token; the handler skips the ENABLE_CODE_EXECUTION flag check and forwards code to the Jupyter server.
AML.T0049
Code Execution
Arbitrary Python runs inside the Jupyter container, enabling file system reads, process spawning, and harvesting of secrets from environment variables.
AML.T0050
Internal Pivot & Exfiltration
Attacker leverages the Jupyter container's Docker network access to reach internal services — databases, model endpoints, secret stores — and exfiltrate data or establish persistence.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.8.11 0.8.12
143.3K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 32% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

4 steps
  1. Patch immediately: upgrade open-webui to >= v0.8.12, which adds the ENABLE_CODE_EXECUTION check in the /api/v1/utils/code/execute handler before dispatching to Jupyter.

  2. If patching is not immediately possible: remove Jupyter integration from Open WebUI config entirely, or add a WAF/reverse proxy rule blocking POST requests to /api/v1/utils/code/execute.

  3. Detection: audit web server and application logs for POST requests to /api/v1/utils/code/execute from non-admin authenticated users on instances with ENABLE_CODE_EXECUTION=false — any such request is evidence of exploitation attempt.

  4. Post-incident: rotate all credentials and secrets accessible from the Jupyter container environment and internal Docker network if exploitation is suspected.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
8.4 - Information security for AI systems
NIST AI RMF
GOVERN 1.1 - Policies, processes, and practices are in place to address AI risks MANAGE 2.2 - Mechanisms are in place to respond to AI risks
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45672?

Open WebUI's code execution feature gate is broken: any authenticated user can execute arbitrary Python code in the Jupyter container by calling the API directly, even when the admin has explicitly set ENABLE_CODE_EXECUTION=false, because the endpoint never checks the flag before dispatching to Jupyter. The vulnerability scores CVSS 8.8 and requires only a valid session token and a single HTTP request — no elevated privileges, no special tooling — making it trivially exploitable by any user on the instance, including trial accounts or compromised employees. The Jupyter container's Docker internal network access turns this from an isolated code execution bug into a full SSRF vector against databases, model servers, and secrets stored in environment variables, all while the admin dashboard continues displaying the control as disabled. Upgrade to open-webui >= v0.8.12 immediately; the only effective workaround short of patching is to remove Jupyter integration or block POST requests to /api/v1/utils/code/execute at the network layer.

Is CVE-2026-45672 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45672, increasing the risk of exploitation.

How to fix CVE-2026-45672?

1. Patch immediately: upgrade open-webui to >= v0.8.12, which adds the ENABLE_CODE_EXECUTION check in the /api/v1/utils/code/execute handler before dispatching to Jupyter. 2. If patching is not immediately possible: remove Jupyter integration from Open WebUI config entirely, or add a WAF/reverse proxy rule blocking POST requests to /api/v1/utils/code/execute. 3. Detection: audit web server and application logs for POST requests to /api/v1/utils/code/execute from non-admin authenticated users on instances with ENABLE_CODE_EXECUTION=false — any such request is evidence of exploitation attempt. 4. Post-incident: rotate all credentials and secrets accessible from the Jupyter container environment and internal Docker network if exploitation is suspected.

What systems are affected by CVE-2026-45672?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, AI coding assistants, ML notebook environments, Model serving infrastructure, Agent frameworks.

What is the CVSS score for CVE-2026-45672?

CVE-2026-45672 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.41%.

What is the AI security impact?

Affected AI Architectures

LLM chat interfacesAI coding assistantsML notebook environmentsModel serving infrastructureAgent frameworks

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 8.4
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

### Summary The `/api/v1/utils/code/execute` endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set `ENABLE_CODE_EXECUTION=false`. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. ### Details The admin configuration correctly shows `ENABLE_CODE_EXECUTION: false`. However, the code execution endpoint does not check this flag before forwarding Python code to the Jupyter server. Any authenticated user can execute arbitrary code in the Jupyter container. ### PoC **Verified against Open WebUI v0.8.11 (latest) Docker on 2026-03-25.** **Setup:** Jupyter server connected, `ENABLE_CODE_EXECUTION=false` confirmed in admin config. ```bash # Step 1: Verify code execution is disabled curl -s http://target:8080/api/v1/configs/code_execution \ -H "Authorization: Bearer $TOKEN" # Returns: {"ENABLE_CODE_EXECUTION": false, ...} # Step 2: Execute code anyway — gate bypassed curl -s -X POST http://target:8080/api/v1/utils/code/execute \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"code":"import os; print(os.popen(\"id\").read())"}' ``` **Verified output:** ``` Config: {"ENABLE_CODE_EXECUTION":false,"CODE_EXECUTION_ENGINE":"jupyter",...} execute_status=200 execute_body={"stdout":"OPEN-WEBUI-SSRF-SECRET","stderr":"","result":""} ``` The PoC read the internal secret service content via Jupyter — despite `ENABLE_CODE_EXECUTION=false`. The Jupyter container has network access to internal services, making this both a code execution bypass and an SSRF vector. ### Impact Any authenticated user can execute arbitrary Python code in the Jupyter container, even when the admin has explicitly disabled code execution: - Arbitrary code execution in the Jupyter container (read files, spawn processes) - Network access to all internal Docker services from the Jupyter container - Data exfiltration from internal services - The admin's security configuration (`ENABLE_CODE_EXECUTION=false`) is silently ineffective - Users who are told "code execution is disabled" have a false sense of security ## Resolution Fixed in commit [6d736d3c5](https://github.com/open-webui/open-webui/commit/6d736d3c598dbe49488675ed42845e00b62dfcba), first released in **v0.8.12**. The `/api/v1/utils/code/execute` handler in `backend/open_webui/routers/utils.py` now checks `request.app.state.config.ENABLE_CODE_EXECUTION` before dispatching to the Jupyter engine and returns 403 with `FEATURE_DISABLED('Code execution')` when the admin has disabled the flag. The retrieval-side code path was gated in the same commit. Users on `>= 0.8.12` are not affected.

Exploitation Scenario

An attacker with any valid Open WebUI account — a trial user, a compromised employee, or an insider — sends a single crafted POST to /api/v1/utils/code/execute with their Bearer token and a Python payload. The endpoint silently bypasses ENABLE_CODE_EXECUTION=false and forwards the code to Jupyter. The attacker reads environment variables to harvest database credentials, model API keys, or cloud tokens, then pivots through the Jupyter container's Docker network to reach internal services: querying the database directly, calling internal inference endpoints, or exfiltrating training data stored on mounted volumes. Throughout the attack, the admin dashboard shows code execution as disabled, providing no indication of compromise.

Weaknesses (CWE)

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities