VYPR
Get started
← All advisories
High severity8.8GHSA Advisory· Published May 15, 2026

CVE-2026-45672

CVE-2026-45672

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLE_CODE_EXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. This vulnerability is fixed in 0.8.12.

Affected products

1

Patches

1
6d736d3c598d

refac

https://github.com/open-webui/open-webuiTimothy Jaeryang BaekMar 27, 2026via ghsa
commit
2 files changed · +12 1
  • backend/open_webui/retrieval/utils.py+6 1 modified
    @@ -30,6 +30,7 @@
 from open_webui.models.chats import Chats
 from open_webui.models.notes import Notes
 from open_webui.models.access_grants import AccessGrants
+from open_webui.utils.access_control.files import has_access_to_file
 
 from open_webui.retrieval.vector.main import GetResult
 from open_webui.utils.headers import include_user_info_headers
@@ -1042,7 +1043,11 @@ async def get_sources_from_items(
                     }
                 elif item.get('id'):
                     file_object = Files.get_file_by_id(item.get('id'))
-                    if file_object:
+                    if file_object and (
+                        user.role == 'admin'
+                        or file_object.user_id == user.id
+                        or has_access_to_file(item.get('id'), 'read', user)
+                    ):
                         query_result = {
                             'documents': [[file_object.data.get('content', '')]],
                             'metadatas': [
  • backend/open_webui/routers/utils.py+6 0 modified
    @@ -42,6 +42,12 @@ async def format_code(form_data: CodeForm, user=Depends(get_admin_user)):
 
 @router.post('/code/execute')
 async def execute_code(request: Request, form_data: CodeForm, user=Depends(get_verified_user)):
+    if not request.app.state.config.ENABLE_CODE_EXECUTION:
+        raise HTTPException(
+            status_code=403,
+            detail='Code execution is disabled',
+        )
+
     if request.app.state.config.CODE_EXECUTION_ENGINE == 'jupyter':
         output = await execute_code_jupyter(
             request.app.state.config.CODE_EXECUTION_JUPYTER_URL,

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.