{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/feature-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.8.11)"],"_cs_severities":["high"],"_cs_tags":["code-execution","feature-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI versions 0.8.11 and earlier are vulnerable to a code execution bypass. The vulnerability resides in the \u003ccode\u003e/api/v1/utils/code/execute\u003c/code\u003e endpoint, which incorrectly allows authenticated users to execute arbitrary Python code via the Jupyter server, even when the administrator has explicitly disabled code execution by setting \u003ccode\u003eENABLE_CODE_EXECUTION=false\u003c/code\u003e in the application configuration. This issue was verified against Open WebUI v0.8.11 running in a Docker container on March 25, 2026. The absence of proper authorization checks on this API endpoint makes the configured feature gate ineffective, thereby creating a security loophole that could be exploited to gain unauthorized access and control over the system\u0026rsquo;s internal services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Open WebUI application as a valid user.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/v1/utils/code/execute\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a JSON payload containing the \u003ccode\u003ecode\u003c/code\u003e parameter with the Python code to be executed. Example: \u003ccode\u003e{\u0026quot;code\u0026quot;:\u0026quot;import os; print(os.popen(\\\u0026quot;id\\\u0026quot;).read())\u0026quot;}\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe Open WebUI backend receives the request and, without checking the \u003ccode\u003eENABLE_CODE_EXECUTION\u003c/code\u003e flag, forwards the code to the connected Jupyter server.\u003c/li\u003e\n\u003cli\u003eThe Jupyter server executes the provided Python code within its container.\u003c/li\u003e\n\u003cli\u003eThe executed code uses the \u003ccode\u003eos.popen()\u003c/code\u003e function to execute shell commands.\u003c/li\u003e\n\u003cli\u003eThe Jupyter container, due to its network configuration, can access internal Docker services.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the output of the executed code and any internal service data accessible from the Jupyter container, potentially exfiltrating sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows any authenticated user to execute arbitrary Python code in the Jupyter container, even when code execution is disabled. This leads to: arbitrary code execution in the Jupyter container, giving the attacker the ability to read files and spawn processes; network access to internal Docker services; data exfiltration from internal services; rendering the admin\u0026rsquo;s security configuration ineffective and creating a false sense of security for users who believe code execution is disabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Open WebUI to version 0.8.12 or later to patch CVE-2026-45672, as the vulnerability has been fixed in this version.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Open WebUI Code Execution Bypass via API Endpoint\u0026rdquo; to monitor for requests to the \u003ccode\u003e/api/v1/utils/code/execute\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview the network configuration of the Jupyter container to restrict access to internal Docker services, mitigating the potential impact of successful code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:30:39Z","date_published":"2026-05-14T20:30:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-code-exec-bypass/","summary":"Open WebUI versions 0.8.11 and earlier are vulnerable to arbitrary code execution due to a bypassed feature gate; the `/api/v1/utils/code/execute` endpoint allows authenticated users to execute Python code via Jupyter even when code execution is disabled, leading to potential data exfiltration and code execution (CVE-2026-45672).","title":"Open WebUI Code Execution Bypass via Feature Gate Neglect (CVE-2026-45672)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-code-exec-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Feature-Bypass","version":"https://jsonfeed.org/version/1.1"}