CVE-2026-45672 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances with untrusted or partially-trusted user bases; security teams managing AI/ML infrastructure; DevOps engineers deploying Open WebUI in multi-tenant or production environments; compliance officers evaluating code execution controls in AI platforms

Technical summary

The vulnerability exists in the /api/v1/utils/code/execute API endpoint which interfaces with Jupyter for Python code execution. The ENABLE_CODE_EXECUTION configuration flag is intended to disable this functionality administratively, but the enforcement mechanism is absent from the API route handler. Authenticated users—regardless of role—can submit code execution requests that bypass the intended restriction. The code executes within the Jupyter environment with the privileges of the Open WebUI application process. This represents an authorization control failure (CWE-863) where security policy configuration is not synchronized with access control implementation. The fix in version 0.8.12 adds proper authorization checks to enforce the ENABLE_CODE_EXECUTION setting at the API layer.

Defensive priority

critical

Recommended defensive actions

• Upgrade Open WebUI to version 0.8.12 or later immediately
• Verify ENABLE_CODE_EXECUTION setting reflects intended security posture after upgrade
• Audit access logs for unexpected /api/v1/utils/code/execute invocations prior to patching
• Review and restrict authenticated user privileges to principle of least privilege
• Implement network segmentation to limit Open WebUI process reachability
• Monitor for anomalous Jupyter kernel processes or outbound connections from Open WebUI hosts

Evidence notes

Vendor advisory confirms the feature gate bypass and provides fixed version. NVD analysis confirms CWE-863 (Incorrect Authorization) classification and affected version range.

Official resources