Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45672

CVE-2026-45672: Open WebUI RCE Vulnerability

CVE-2026-45672 is a remote code execution flaw in Open WebUI that allows verified users to execute arbitrary Python code even when code execution is disabled. This post covers technical details, affected versions, and fixes.

Published:

CVE-2026-45672 Overview

CVE-2026-45672 is an authorization flaw in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The /api/v1/utils/code/execute endpoint executes arbitrary Python code through Jupyter for any verified user. The endpoint runs even when administrators set ENABLE_CODE_EXECUTION=false. The feature gate is declared in configuration but never enforced at the API layer. Any authenticated user can therefore reach a Python execution backend the administrator believed was disabled. The flaw is fixed in Open Webui version 0.8.12.

Critical Impact

Authenticated low-privilege users can execute arbitrary Python code on the Jupyter backend regardless of the ENABLE_CODE_EXECUTION setting, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

  • Open WebUI versions prior to 0.8.12
  • Deployments using the /api/v1/utils/code/execute endpoint
  • Self-hosted Open WebUI instances integrating with Jupyter for code execution

Discovery Timeline

  • 2026-05-15 - CVE-2026-45672 published to NVD
  • 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2026-45672

Vulnerability Analysis

The vulnerability stems from a missing authorization check on the /api/v1/utils/code/execute endpoint. Open WebUI exposes a code execution feature that proxies Python payloads to a Jupyter backend. Administrators can disable this feature globally by setting the environment variable ENABLE_CODE_EXECUTION=false. The configuration flag is read elsewhere in the application but is not consulted by the API route handler. As a result, the endpoint accepts and processes code submissions from any verified user account. The flaw is classified under [CWE-863] Incorrect Authorization.

Exploitation requires only a valid user session. The attacker sends a POST request containing a Python payload to the execution endpoint. The Jupyter backend evaluates the code and returns the output. An attacker can read files, exfiltrate secrets, pivot into internal networks, or deploy persistence mechanisms on the host running Jupyter.

Root Cause

The root cause is a server-side trust boundary failure. The feature gate ENABLE_CODE_EXECUTION controls the user interface but not the route. The API handler does not re-check the configuration before forwarding code to Jupyter. This produces a divergence between the documented security posture and runtime behavior.

Attack Vector

The attack vector is network-based and requires low privileges. Any account that has completed verification can issue the request. No user interaction is needed beyond the attacker's own session. Because Jupyter executes Python with the privileges of the backend process, the attacker inherits that level of access to the host environment.

No verified public exploit code is available. See the GitHub Security Advisory for technical details.

Detection Methods for CVE-2026-45672

Indicators of Compromise

  • HTTP POST requests to /api/v1/utils/code/execute originating from non-administrative user accounts.
  • Jupyter kernel processes spawning unexpected child processes such as shells, curl, or wget.
  • Outbound network connections from the Jupyter backend host to unfamiliar destinations.
  • Filesystem reads of sensitive paths like /etc/passwd, .env files, or cloud metadata endpoints from the Jupyter context.

Detection Strategies

  • Review Open WebUI access logs for /api/v1/utils/code/execute requests when ENABLE_CODE_EXECUTION is set to false. Any hit indicates exploitation.
  • Correlate Jupyter kernel execution events with the originating user identity in Open WebUI session logs.
  • Alert on Python interpreter processes invoking subprocess APIs or initiating outbound sockets on the Jupyter host.

Monitoring Recommendations

  • Enable verbose request logging on the Open WebUI reverse proxy and forward logs to a centralized analytics platform.
  • Monitor Jupyter container or service runtime telemetry for anomalous process trees and network egress.
  • Track authentication events for verified users to identify accounts performing unusual API activity.

How to Mitigate CVE-2026-45672

Immediate Actions Required

  • Upgrade Open WebUI to version 0.8.12 or later without delay.
  • Audit existing user accounts and revoke verification for accounts that are not required.
  • Inspect Jupyter backend hosts for signs of unauthorized code execution since the deployment of any vulnerable version.
  • Rotate credentials, API keys, and tokens accessible from the Jupyter execution environment.

Patch Information

The maintainers fixed the vulnerability in Open WebUI 0.8.12 by enforcing the ENABLE_CODE_EXECUTION configuration at the API endpoint. Refer to the GitHub Security Advisory GHSA-482j-2pq6-q5w4 for full release information.

Workarounds

  • Block requests to /api/v1/utils/code/execute at an upstream reverse proxy or web application firewall until the patch is applied.
  • Isolate the Jupyter backend on a network segment with strict egress filtering to limit lateral movement.
  • Restrict Open WebUI account creation and verification flows to trusted users only.
bash
# Example nginx rule to block the vulnerable endpoint until patched
location = /api/v1/utils/code/execute {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.