A high-severity vulnerability has been identified in the Open WebUI platform, which could allow an authenticated attacker to execute arbitrary code on the server. Successful exploitation could lead to a complete compromise of the self-hosted AI environment, resulting in data theft, service disruption, and unauthorized access to the underlying infrastructure.

This vulnerability is an authenticated remote code execution (RCE) flaw within a component responsible for processing user-supplied data. An attacker with valid user credentials can send a specially crafted request to the application's API. Due to improper input sanitization, this input can be executed as a command on the underlying server, granting the attacker the ability to run arbitrary code with the privileges of the WebUI service account.

This vulnerability is rated as High severity with a CVSS score of 7.3. A successful exploit could grant an attacker a foothold within the organization's internal network, as the Open WebUI platform is self-hosted. Potential consequences include the theft of sensitive proprietary data, such as AI models and training datasets, unauthorized access to the server's file system, and disruption of critical AI-driven services. Furthermore, a compromised server could be used as a pivot point for lateral movement to attack other systems within the corporate network.

Immediate Action: Apply vendor security updates immediately. After patching, it is crucial to monitor for any signs of post-exploitation activity and review historical access logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Security teams should monitor for anomalous activity on servers hosting Open WebUI. This includes looking for unexpected child processes spawned by the WebUI application, unusual outbound network connections to unknown IP addresses, and reviewing web server access logs for suspicious API requests containing shell metacharacters or command-like syntax.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. Restrict network access to the Open WebUI interface to only trusted IP ranges. Place the server behind a Web Application Firewall (WAF) with rules designed to detect and block command injection attempts. Ensure multi-factor authentication (MFA) is enforced for all user accounts to raise the difficulty of obtaining the initial access required for exploitation.

Public Exploit Available: false

Given the high severity (CVSS 7.3) and the potential for complete system compromise, it is strongly recommended that organizations prioritize the immediate application of vendor-supplied security updates to all affected Open WebUI instances. Although this vulnerability is not currently listed on the CISA KEV catalog, its impact makes it a highly attractive target for threat actors. Proactive patching and monitoring are critical to mitigating the risk of exploitation and protecting sensitive AI assets and infrastructure.