Open WebUI Code Execution Bypass via Feature Gate Neglect (CVE-2026-45672)

Open WebUI versions 0.8.11 and earlier are vulnerable to a code execution bypass. The vulnerability resides in the /api/v1/utils/code/execute endpoint, which incorrectly allows authenticated users to execute arbitrary Python code via the Jupyter server, even when the administrator has explicitly disabled code execution by setting ENABLE_CODE_EXECUTION=false in the application configuration. This issue was verified against Open WebUI v0.8.11 running in a Docker container on March 25, 2026. The absence of proper authorization checks on this API endpoint makes the configured feature gate ineffective, thereby creating a security loophole that could be exploited to gain unauthorized access and control over the system’s internal services.

Attack Chain

1. An attacker authenticates to the Open WebUI application as a valid user.
2. The attacker crafts a POST request to the /api/v1/utils/code/execute endpoint.
3. The POST request includes a JSON payload containing the code parameter with the Python code to be executed. Example: {"code":"import os; print(os.popen(\"id\").read())"}
4. The Open WebUI backend receives the request and, without checking the ENABLE_CODE_EXECUTION flag, forwards the code to the connected Jupyter server.
5. The Jupyter server executes the provided Python code within its container.
6. The executed code uses the os.popen() function to execute shell commands.
7. The Jupyter container, due to its network configuration, can access internal Docker services.
8. The attacker obtains the output of the executed code and any internal service data accessible from the Jupyter container, potentially exfiltrating sensitive information.

Impact

The vulnerability allows any authenticated user to execute arbitrary Python code in the Jupyter container, even when code execution is disabled. This leads to: arbitrary code execution in the Jupyter container, giving the attacker the ability to read files and spawn processes; network access to internal Docker services; data exfiltration from internal services; rendering the admin’s security configuration ineffective and creating a false sense of security for users who believe code execution is disabled.

Recommendation

• Upgrade Open WebUI to version 0.8.12 or later to patch CVE-2026-45672, as the vulnerability has been fixed in this version.
• Deploy the Sigma rule “Detect Open WebUI Code Execution Bypass via API Endpoint” to monitor for requests to the /api/v1/utils/code/execute endpoint.
• Review the network configuration of the Jupyter container to restrict access to internal Docker services, mitigating the potential impact of successful code execution.