AI Threat Alert

CVE-2026-45672: open-webui: code exec gate bypass via API endpoint

GHSA-482j-2pq6-q5w4 HIGH
Published May 14, 2026
CISO Take

Open WebUI's code execution feature gate is broken: any authenticated user can execute arbitrary Python code in the Jupyter container by calling the API directly, even when the admin has explicitly set ENABLE_CODE_EXECUTION=false, because the endpoint never checks the flag before dispatching to Jupyter. The vulnerability scores CVSS 8.8 and requires only a valid session token and a single HTTP request — no elevated privileges, no special tooling — making it trivially exploitable by any user on the instance, including trial accounts or compromised employees. The Jupyter container's Docker internal network access turns this from an isolated code execution bug into a full SSRF vector against databases, model servers, and secrets stored in environment variables, all while the admin dashboard continues displaying the control as disabled. Upgrade to open-webui >= v0.8.12 immediately; the only effective workaround short of patching is to remove Jupyter integration or block POST requests to /api/v1/utils/code/execute at the network layer.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.8 with network-accessible attack vector, low complexity, and only requiring standard authenticated access creates a broad, easily exploitable attack surface. The critical aggravating factor is that the admin security control appears enforced but is silently ignored — organizations that audited their configuration and disabled code execution operate under a false sense of security. With 91 prior CVEs in the same package, the codebase has a significant vulnerability history. The Jupyter container's internal Docker network access substantially amplifies blast radius beyond the Open WebUI host to all co-located infrastructure.

Attack Kill Chain

Initial Access
Attacker authenticates to Open WebUI using any valid user account — including low-privilege, trial, or compromised accounts — to obtain a Bearer token.
AML.T0012
Feature Gate Bypass
Attacker sends a direct POST to /api/v1/utils/code/execute with their token; the handler skips the ENABLE_CODE_EXECUTION flag check and forwards code to the Jupyter server.
AML.T0049
Code Execution
Arbitrary Python runs inside the Jupyter container, enabling file system reads, process spawning, and harvesting of secrets from environment variables.
AML.T0050
Internal Pivot & Exfiltration
Attacker leverages the Jupyter container's Docker network access to reach internal services — databases, model endpoints, secret stores — and exfiltrate data or establish persistence.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
open-webui pip <= 0.8.11 0.8.12
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

4 steps

  1. Patch immediately: upgrade open-webui to >= v0.8.12, which adds the ENABLE_CODE_EXECUTION check in the /api/v1/utils/code/execute handler before dispatching to Jupyter.

  2. If patching is not immediately possible: remove Jupyter integration from Open WebUI config entirely, or add a WAF/reverse proxy rule blocking POST requests to /api/v1/utils/code/execute.

  3. Detection: audit web server and application logs for POST requests to /api/v1/utils/code/execute from non-admin authenticated users on instances with ENABLE_CODE_EXECUTION=false — any such request is evidence of exploitation attempt.

  4. Post-incident: rotate all credentials and secrets accessible from the Jupyter container environment and internal Docker network if exploitation is suspected.

Classification

Auth Bypass Code Execution Framework Inference AML.T0012 AML.T0049 AML.T0050 AML.T0055 AML.T0107

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
8.4 - Information security for AI systems
NIST AI RMF
GOVERN 1.1 - Policies, processes, and practices are in place to address AI risks MANAGE 2.2 - Mechanisms are in place to respond to AI risks
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-45672?

Open WebUI's code execution feature gate is broken: any authenticated user can execute arbitrary Python code in the Jupyter container by calling the API directly, even when the admin has explicitly set ENABLE_CODE_EXECUTION=false, because the endpoint never checks the flag before dispatching to Jupyter. The vulnerability scores CVSS 8.8 and requires only a valid session token and a single HTTP request — no elevated privileges, no special tooling — making it trivially exploitable by any user on the instance, including trial accounts or compromised employees. The Jupyter container's Docker internal network access turns this from an isolated code execution bug into a full SSRF vector against databases, model servers, and secrets stored in environment variables, all while the admin dashboard continues displaying the control as disabled. Upgrade to open-webui >= v0.8.12 immediately; the only effective workaround short of patching is to remove Jupyter integration or block POST requests to /api/v1/utils/code/execute at the network layer.

Is CVE-2026-45672 actively exploited?

No confirmed active exploitation of CVE-2026-45672 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45672?

1. Patch immediately: upgrade open-webui to >= v0.8.12, which adds the ENABLE_CODE_EXECUTION check in the /api/v1/utils/code/execute handler before dispatching to Jupyter. 2. If patching is not immediately possible: remove Jupyter integration from Open WebUI config entirely, or add a WAF/reverse proxy rule blocking POST requests to /api/v1/utils/code/execute. 3. Detection: audit web server and application logs for POST requests to /api/v1/utils/code/execute from non-admin authenticated users on instances with ENABLE_CODE_EXECUTION=false — any such request is evidence of exploitation attempt. 4. Post-incident: rotate all credentials and secrets accessible from the Jupyter container environment and internal Docker network if exploitation is suspected.

What systems are affected by CVE-2026-45672?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, AI coding assistants, ML notebook environments, Model serving infrastructure, Agent frameworks.

What is the CVSS score for CVE-2026-45672?

CVE-2026-45672 has a CVSS v3.1 base score of 8.8 (HIGH).

Technical Details

NVD Description

### Summary The `/api/v1/utils/code/execute` endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set `ENABLE_CODE_EXECUTION=false`. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. ### Details The admin configuration correctly shows `ENABLE_CODE_EXECUTION: false`. However, the code execution endpoint does not check this flag before forwarding Python code to the Jupyter server. Any authenticated user can execute arbitrary code in the Jupyter container. ### PoC **Verified against Open WebUI v0.8.11 (latest) Docker on 2026-03-25.** **Setup:** Jupyter server connected, `ENABLE_CODE_EXECUTION=false` confirmed in admin config. ```bash # Step 1: Verify code execution is disabled curl -s http://target:8080/api/v1/configs/code_execution \ -H "Authorization: Bearer $TOKEN" # Returns: {"ENABLE_CODE_EXECUTION": false, ...} # Step 2: Execute code anyway — gate bypassed curl -s -X POST http://target:8080/api/v1/utils/code/execute \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"code":"import os; print(os.popen(\"id\").read())"}' ``` **Verified output:** ``` Config: {"ENABLE_CODE_EXECUTION":false,"CODE_EXECUTION_ENGINE":"jupyter",...} execute_status=200 execute_body={"stdout":"OPEN-WEBUI-SSRF-SECRET","stderr":"","result":""} ``` The PoC read the internal secret service content via Jupyter — despite `ENABLE_CODE_EXECUTION=false`. The Jupyter container has network access to internal services, making this both a code execution bypass and an SSRF vector. ### Impact Any authenticated user can execute arbitrary Python code in the Jupyter container, even when the admin has explicitly disabled code execution: - Arbitrary code execution in the Jupyter container (read files, spawn processes) - Network access to all internal Docker services from the Jupyter container - Data exfiltration from internal services - The admin's security configuration (`ENABLE_CODE_EXECUTION=false`) is silently ineffective - Users who are told "code execution is disabled" have a false sense of security ## Resolution Fixed in commit [6d736d3c5](https://github.com/open-webui/open-webui/commit/6d736d3c598dbe49488675ed42845e00b62dfcba), first released in **v0.8.12**. The `/api/v1/utils/code/execute` handler in `backend/open_webui/routers/utils.py` now checks `request.app.state.config.ENABLE_CODE_EXECUTION` before dispatching to the Jupyter engine and returns 403 with `FEATURE_DISABLED('Code execution')` when the admin has disabled the flag. The retrieval-side code path was gated in the same commit. Users on `>= 0.8.12` are not affected.

Exploitation Scenario

An attacker with any valid Open WebUI account — a trial user, a compromised employee, or an insider — sends a single crafted POST to /api/v1/utils/code/execute with their Bearer token and a Python payload. The endpoint silently bypasses ENABLE_CODE_EXECUTION=false and forwards the code to Jupyter. The attacker reads environment variables to harvest database credentials, model API keys, or cloud tokens, then pivots through the Jupyter container's Docker network to reach internal services: querying the database directly, calling internal inference endpoints, or exfiltrating training data stored on mounted volumes. Throughout the attack, the admin dashboard shows code execution as disabled, providing no indication of compromise.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45315 8.7

Analysis pending

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2025-65958 8.5

open-webui: SSRF allows internal network access

Same package: open-webui
Back to Threat Feed