Open WebUI Command Injection Vulnerability
Executive Summary
Two high-impact command execution vulnerabilities were identified in Open WebUI that can allow authenticated users to execute arbitrary commands or Python code on the server hosting the application. These issues directly affect environments where Open WebUI is used to manage or interact with AI/LLM infrastructure and can lead to full compromise of the underlying system, exposure of AI models, API keys, and sensitive data.
Both vulnerabilities are classified as Remote Code Execution (RCE) and should be treated as critical risks to AI infrastructure.
Vulnerability Overview
| Field | Details |
|---|---|
| Product | Open WebUI |
| CVE IDs | CVE-2026-0766, CVE-2026-0765 |
| Vulnerability Type | Command Injection / Code Injection |
| CVSS v3.1 Score | 8.8 (High) |
| Severity | High |
| Attack Vector | Network |
| Authentication Required | Yes |
| User Interaction | None |
| Privileges Gained | Execution as Open WebUI service user |
| Exploit Availability | No public weaponized exploit; proof-of-concept techniques possible for educational/research purposes |
Technical Details
CVE-2026-0766 – Python Code Injection
This vulnerability exists in the load_tool_module_by_id functionality. User-controlled input is passed into a dynamic Python execution path without sufficient sanitization or restriction. As a result, arbitrary Python code can be executed by the Open WebUI backend.
Because the execution occurs in the application context, the attacker gains the same permissions as the Open WebUI service, which often includes:
- Access to AI model files
- API tokens and environment variables
- Local filesystem access
- Ability to spawn system processes
CVE-2026-0765 – OS Command Injection
This vulnerability is present in the install_frontmatter_requirements logic. The application processes user-supplied “requirements” and constructs system-level commands (for example, package installation commands) without properly neutralizing shell metacharacters.
This allows an attacker to inject additional shell commands that are executed by the operating system.
Exploitation Scenario
The vulnerabilities can be abused in the following way:
- A legitimate user account (or compromised credentials) is used to access Open WebUI.
- A crafted request is submitted to create or update a tool, function, or module.
- Malicious content is embedded within:
- Tool module identifiers (CVE-2026-0766), or
- Frontmatter requirement fields (CVE-2026-0765).
- The backend processes this input and executes it as Python code or as a shell command.
- Arbitrary commands are executed on the host system.
No special exploitation techniques are required beyond understanding how the vulnerable endpoints process input.
Impact
If exploited, the following outcomes are possible:
- Full compromise of the Open WebUI host
- Theft of AI model weights, prompts, or embeddings
- Exfiltration of API keys and credentials
- Installation of persistent backdoors
- Lateral movement into internal networks
- Abuse of AI infrastructure for unauthorized workloads
Because Open WebUI often runs in environments with elevated trust, the blast radius can be significant.
MITRE ATT&CK Mapping
- Execution
- Command and Scripting Interpreter (T1059)
- Initial Access
- Valid Accounts (T1078)
- Persistence
- Scheduled Task / Job (T1053)
- Credential Access
- Credentials from Configuration Files (T1552)
- Exfiltration
- Exfiltration Over Command and Control Channel (T1041)
Detection Strategy
Relevant Log Sources
- Open WebUI application logs
- Reverse proxy / web server access logs
- Operating system process creation logs
- Container runtime logs (Docker / Kubernetes)
- Network egress and firewall logs
Behavioral Indicators
- Unexpected execution of
python,pip,sh, orbashspawned by the Open WebUI process - Tool or function creation requests containing unusually long or complex input
- Requirement fields containing shell metacharacters
- Sudden outbound network connections following tool installation
- File creation or modification in application directories
Sample Splunk Detection Rules
1. Suspicious Tool or Requirement Installation Requests
index=webui_logs
(method=POST AND (uri="*tool*" OR uri="*install*"))
(body="*requirements*" OR body="*load_tool_module_by_id*")
| stats count by src_ip, user, uri
| where count > 3
2. Command Execution Spawned by Open WebUI
index=os_process_logs
(parent_process="*openwebui*" OR parent_process="*uvicorn*")
(process_name="python" OR process_name="pip" OR process_name="bash" OR process_name="sh")
| table _time host user parent_process process_name command_line
3. Anomalous Outbound Connections After Tool Changes
index=network_logs
(dest_ip!=internal_networks)
| stats count by src_ip dest_ip
| where count > 10
Proof of Concept Status
- No publicly weaponized exploit code is currently available.
- Exploitation techniques are straightforward and can be demonstrated in controlled lab environments for educational and defensive research purposes only.
- Organizations should assume exploitation is feasible and act accordingly.
Mitigation and Remediation
Immediate Actions
- Restrict access to tool creation and installation features
- Enforce strong authentication and rotate all Open WebUI credentials
- Monitor process execution and outbound network traffic
- Isolate Open WebUI from sensitive internal systems where possible
Official Patch / Upgrade
The vulnerabilities should be remediated by upgrading to a fixed version of Open WebUI once released.
Official upgrade and release information:
👉 https://github.com/open-webui/open-webui/releases
Only versions explicitly listed as fixed by the project should be considered safe.
Final Takeaway
These vulnerabilities highlight the risks of dynamic code execution and system command construction in AI platforms. Any environment running Open WebUI should treat this issue as a priority incident and apply compensating controls until an official fix is deployed.
