CVE-2026-45672: open-webui: code exec gate bypass via API endpoint
GHSA-482j-2pq6-q5w4 HIGH PoC AVAILABLE CISA: ATTENDOpen WebUI's code execution feature gate is broken: any authenticated user can execute arbitrary Python code in the Jupyter container by calling the API directly, even when the admin has explicitly set ENABLE_CODE_EXECUTION=false, because the endpoint never checks the flag before dispatching to Jupyter. The vulnerability scores CVSS 8.8 and requires only a valid session token and a single HTTP request — no elevated privileges, no special tooling — making it trivially exploitable by any user on the instance, including trial accounts or compromised employees. The Jupyter container's Docker internal network access turns this from an isolated code execution bug into a full SSRF vector against databases, model servers, and secrets stored in environment variables, all while the admin dashboard continues displaying the control as disabled. Upgrade to open-webui >= v0.8.12 immediately; the only effective workaround short of patching is to remove Jupyter integration or block POST requests to /api/v1/utils/code/execute at the network layer.
What is the risk?
High risk. CVSS 8.8 with network-accessible attack vector, low complexity, and only requiring standard authenticated access creates a broad, easily exploitable attack surface. The critical aggravating factor is that the admin security control appears enforced but is silently ignored — organizations that audited their configuration and disabled code execution operate under a false sense of security. With 91 prior CVEs in the same package, the codebase has a significant vulnerability history. The Jupyter container's internal Docker network access substantially amplifies blast radius beyond the Open WebUI host to all co-located infrastructure.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.8.11 | 0.8.12 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
4 steps-
Patch immediately: upgrade open-webui to >= v0.8.12, which adds the ENABLE_CODE_EXECUTION check in the /api/v1/utils/code/execute handler before dispatching to Jupyter.
-
If patching is not immediately possible: remove Jupyter integration from Open WebUI config entirely, or add a WAF/reverse proxy rule blocking POST requests to /api/v1/utils/code/execute.
-
Detection: audit web server and application logs for POST requests to /api/v1/utils/code/execute from non-admin authenticated users on instances with ENABLE_CODE_EXECUTION=false — any such request is evidence of exploitation attempt.
-
Post-incident: rotate all credentials and secrets accessible from the Jupyter container environment and internal Docker network if exploitation is suspected.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45672?
Open WebUI's code execution feature gate is broken: any authenticated user can execute arbitrary Python code in the Jupyter container by calling the API directly, even when the admin has explicitly set ENABLE_CODE_EXECUTION=false, because the endpoint never checks the flag before dispatching to Jupyter. The vulnerability scores CVSS 8.8 and requires only a valid session token and a single HTTP request — no elevated privileges, no special tooling — making it trivially exploitable by any user on the instance, including trial accounts or compromised employees. The Jupyter container's Docker internal network access turns this from an isolated code execution bug into a full SSRF vector against databases, model servers, and secrets stored in environment variables, all while the admin dashboard continues displaying the control as disabled. Upgrade to open-webui >= v0.8.12 immediately; the only effective workaround short of patching is to remove Jupyter integration or block POST requests to /api/v1/utils/code/execute at the network layer.
Is CVE-2026-45672 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-45672, increasing the risk of exploitation.
How to fix CVE-2026-45672?
1. Patch immediately: upgrade open-webui to >= v0.8.12, which adds the ENABLE_CODE_EXECUTION check in the /api/v1/utils/code/execute handler before dispatching to Jupyter. 2. If patching is not immediately possible: remove Jupyter integration from Open WebUI config entirely, or add a WAF/reverse proxy rule blocking POST requests to /api/v1/utils/code/execute. 3. Detection: audit web server and application logs for POST requests to /api/v1/utils/code/execute from non-admin authenticated users on instances with ENABLE_CODE_EXECUTION=false — any such request is evidence of exploitation attempt. 4. Post-incident: rotate all credentials and secrets accessible from the Jupyter container environment and internal Docker network if exploitation is suspected.
What systems are affected by CVE-2026-45672?
This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, AI coding assistants, ML notebook environments, Model serving infrastructure, Agent frameworks.
What is the CVSS score for CVE-2026-45672?
CVE-2026-45672 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.41%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0055 Unsecured Credentials AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary The `/api/v1/utils/code/execute` endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set `ENABLE_CODE_EXECUTION=false`. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. ### Details The admin configuration correctly shows `ENABLE_CODE_EXECUTION: false`. However, the code execution endpoint does not check this flag before forwarding Python code to the Jupyter server. Any authenticated user can execute arbitrary code in the Jupyter container. ### PoC **Verified against Open WebUI v0.8.11 (latest) Docker on 2026-03-25.** **Setup:** Jupyter server connected, `ENABLE_CODE_EXECUTION=false` confirmed in admin config. ```bash # Step 1: Verify code execution is disabled curl -s http://target:8080/api/v1/configs/code_execution \ -H "Authorization: Bearer $TOKEN" # Returns: {"ENABLE_CODE_EXECUTION": false, ...} # Step 2: Execute code anyway — gate bypassed curl -s -X POST http://target:8080/api/v1/utils/code/execute \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"code":"import os; print(os.popen(\"id\").read())"}' ``` **Verified output:** ``` Config: {"ENABLE_CODE_EXECUTION":false,"CODE_EXECUTION_ENGINE":"jupyter",...} execute_status=200 execute_body={"stdout":"OPEN-WEBUI-SSRF-SECRET","stderr":"","result":""} ``` The PoC read the internal secret service content via Jupyter — despite `ENABLE_CODE_EXECUTION=false`. The Jupyter container has network access to internal services, making this both a code execution bypass and an SSRF vector. ### Impact Any authenticated user can execute arbitrary Python code in the Jupyter container, even when the admin has explicitly disabled code execution: - Arbitrary code execution in the Jupyter container (read files, spawn processes) - Network access to all internal Docker services from the Jupyter container - Data exfiltration from internal services - The admin's security configuration (`ENABLE_CODE_EXECUTION=false`) is silently ineffective - Users who are told "code execution is disabled" have a false sense of security ## Resolution Fixed in commit [6d736d3c5](https://github.com/open-webui/open-webui/commit/6d736d3c598dbe49488675ed42845e00b62dfcba), first released in **v0.8.12**. The `/api/v1/utils/code/execute` handler in `backend/open_webui/routers/utils.py` now checks `request.app.state.config.ENABLE_CODE_EXECUTION` before dispatching to the Jupyter engine and returns 403 with `FEATURE_DISABLED('Code execution')` when the admin has disabled the flag. The retrieval-side code path was gated in the same commit. Users on `>= 0.8.12` are not affected.
Exploitation Scenario
An attacker with any valid Open WebUI account — a trial user, a compromised employee, or an insider — sends a single crafted POST to /api/v1/utils/code/execute with their Bearer token and a Python payload. The endpoint silently bypasses ENABLE_CODE_EXECUTION=false and forwards the code to Jupyter. The attacker reads environment variables to harvest database credentials, model API keys, or cloud tokens, then pivots through the Jupyter container's Docker network to reach internal services: querying the database directly, calling internal inference endpoints, or exfiltrating training data stored on mounted volumes. Throughout the attack, the admin dashboard shows code execution as disabled, providing no indication of compromise.
Weaknesses (CWE)
CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-54011 8.7 Open WebUI: Stored XSS via Mermaid loose mode in preview
Same package: open-webui