Attack Chain

1. An attacker authenticates to the Open WebUI application as a valid user.
2. The attacker crafts a POST request to the /api/v1/utils/code/execute endpoint.
3. The POST request includes a JSON payload containing the code parameter with the Python code to be executed. Example: {"code":"import os; print(os.popen(\"id\").read())"}
4. The Open WebUI backend receives the request and, without checking the ENABLE_CODE_EXECUTION flag, forwards the code to the connected Jupyter server.
5. The Jupyter server executes the provided Python code within its container.
6. The executed code uses the os.popen() function to execute shell commands.
7. The Jupyter container, due to its network configuration, can access internal Docker services.
8. The attacker obtains the output of the executed code and any internal service data accessible from the Jupyter container, potentially exfiltrating sensitive information.

Impact

The vulnerability allows any authenticated user to execute arbitrary Python code in the Jupyter container, even when code execution is disabled. This leads to: arbitrary code execution in the Jupyter container, giving the attacker the ability to read files and spawn processes; network access to internal Docker services; data exfiltration from internal services; rendering the admin’s security configuration ineffective and creating a false sense of security for users who believe code execution is disabled.

Recommendation

• Upgrade Open WebUI to version 0.8.12 or later to patch CVE-2026-45672, as the vulnerability has been fixed in this version.
• Deploy the Sigma rule “Detect Open WebUI Code Execution Bypass via API Endpoint” to monitor for requests to the /api/v1/utils/code/execute endpoint.
• Review the network configuration of the Jupyter container to restrict access to internal Docker services, mitigating the potential impact of successful code execution.