Open WebUI: Jupyter code execution works despite ENABLE_CODE_EXECUTION=false
A security vulnerability in Open WebUI versions up to 0.8.11 allows authenticated users to execute arbitrary Python code via the Jupyter server even when code execution is disabled in the admin settings. The issue arises because the API endpoint does not enforce the ENABLE_CODE_EXECUTION flag, leading to a feature gate bypass. This has been fixed in version 0.8.12, which properly checks the configuration before allowing code execution.
- ▪The /api/v1/utils/code/execute endpoint allows code execution despite ENABLE_CODE_EXECUTION being set to false.
- ▪Any authenticated user can run arbitrary Python code in the Jupyter container, posing a security risk.
- ▪The Jupyter container's network access to internal Docker services enables data exfiltration and SSRF attacks.
- ▪The vulnerability was fixed in version 0.8.12 by enforcing the feature flag check in the API handler.
- ▪CVE-2026-45672 has been assigned with a CVSS score of 8.8, classified as high severity.
Opening excerpt (first ~120 words) tap to expand
open-webui / open-webui Public Uh oh! There was an error while loading. Please reload this page. Notifications You must be signed in to change notification settings Fork 19.6k Star 137k Code Issues 158 Pull requests 142 Discussions Actions Security and quality 77 Insights Additional navigation options Code Issues Pull requests Discussions Actions Security and quality Insights Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed High doge-woof published GHSA-482j-2pq6-q5w4 May 11, 2026 Package pip open-webui (pip) Affected versions <= 0.8.11 Patched versions >= 0.8.12 Description Summary The /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLE_CODE_EXECUTION=false.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.