CVE-2026-45672 Overview
CVE-2026-45672 is an authorization flaw in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. The /api/v1/utils/code/execute endpoint executes arbitrary Python code through Jupyter for any verified user. The endpoint runs even when administrators set ENABLE_CODE_EXECUTION=false. The feature gate is declared in configuration but never enforced at the API layer. Any authenticated user can therefore reach a Python execution backend the administrator believed was disabled. The flaw is fixed in Open Webui version 0.8.12.
Critical Impact
Authenticated low-privilege users can execute arbitrary Python code on the Jupyter backend regardless of the ENABLE_CODE_EXECUTION setting, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Open WebUI versions prior to 0.8.12
- Deployments using the /api/v1/utils/code/execute endpoint
- Self-hosted Open WebUI instances integrating with Jupyter for code execution
Discovery Timeline
- 2026-05-15 - CVE-2026-45672 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45672
Vulnerability Analysis
The vulnerability stems from a missing authorization check on the /api/v1/utils/code/execute endpoint. Open WebUI exposes a code execution feature that proxies Python payloads to a Jupyter backend. Administrators can disable this feature globally by setting the environment variable ENABLE_CODE_EXECUTION=false. The configuration flag is read elsewhere in the application but is not consulted by the API route handler. As a result, the endpoint accepts and processes code submissions from any verified user account. The flaw is classified under [CWE-863] Incorrect Authorization.
Exploitation requires only a valid user session. The attacker sends a POST request containing a Python payload to the execution endpoint. The Jupyter backend evaluates the code and returns the output. An attacker can read files, exfiltrate secrets, pivot into internal networks, or deploy persistence mechanisms on the host running Jupyter.
Root Cause
The root cause is a server-side trust boundary failure. The feature gate ENABLE_CODE_EXECUTION controls the user interface but not the route. The API handler does not re-check the configuration before forwarding code to Jupyter. This produces a divergence between the documented security posture and runtime behavior.
Attack Vector
The attack vector is network-based and requires low privileges. Any account that has completed verification can issue the request. No user interaction is needed beyond the attacker's own session. Because Jupyter executes Python with the privileges of the backend process, the attacker inherits that level of access to the host environment.
No verified public exploit code is available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-45672
Indicators of Compromise
- HTTP POST requests to /api/v1/utils/code/execute originating from non-administrative user accounts.
- Jupyter kernel processes spawning unexpected child processes such as shells, curl, or wget.
- Outbound network connections from the Jupyter backend host to unfamiliar destinations.
- Filesystem reads of sensitive paths like /etc/passwd, .env files, or cloud metadata endpoints from the Jupyter context.
Detection Strategies
- Review Open WebUI access logs for /api/v1/utils/code/execute requests when ENABLE_CODE_EXECUTION is set to false. Any hit indicates exploitation.
- Correlate Jupyter kernel execution events with the originating user identity in Open WebUI session logs.
- Alert on Python interpreter processes invoking subprocess APIs or initiating outbound sockets on the Jupyter host.
Monitoring Recommendations
- Enable verbose request logging on the Open WebUI reverse proxy and forward logs to a centralized analytics platform.
- Monitor Jupyter container or service runtime telemetry for anomalous process trees and network egress.
- Track authentication events for verified users to identify accounts performing unusual API activity.
How to Mitigate CVE-2026-45672
Immediate Actions Required
- Upgrade Open WebUI to version 0.8.12 or later without delay.
- Audit existing user accounts and revoke verification for accounts that are not required.
- Inspect Jupyter backend hosts for signs of unauthorized code execution since the deployment of any vulnerable version.
- Rotate credentials, API keys, and tokens accessible from the Jupyter execution environment.
Patch Information
The maintainers fixed the vulnerability in Open WebUI 0.8.12 by enforcing the ENABLE_CODE_EXECUTION configuration at the API endpoint. Refer to the GitHub Security Advisory GHSA-482j-2pq6-q5w4 for full release information.
Workarounds
- Block requests to /api/v1/utils/code/execute at an upstream reverse proxy or web application firewall until the patch is applied.
- Isolate the Jupyter backend on a network segment with strict egress filtering to limit lateral movement.
- Restrict Open WebUI account creation and verification flows to trusted users only.
# Example nginx rule to block the vulnerable endpoint until patched
location = /api/v1/utils/code/execute {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
