Plattform
python
Komponente
open-webui
Behoben in
0.5.17
CVE-2024-8060 is a Remote Code Execution (RCE) vulnerability affecting OpenWebUI versions up to 0.5.9. This flaw resides within the audio transcription API endpoint, allowing authenticated users to upload arbitrary files. Successful exploitation could lead to the overwriting of critical files within the Docker container, potentially granting an attacker root access. A fix is available in version 0.5.17.
The vulnerability lies in the /audio/api/v1/transcriptions endpoint, where insufficient validation of the file.content_type and user-controlled filenames allows for path traversal. An attacker, after authenticating to the system, can craft a malicious file upload request. This request, if successful, overwrites files within the OpenWebUI Docker container. Given that OpenWebUI often runs with root privileges within the container, this overwrite can lead to arbitrary code execution as the root user. The blast radius extends to the entire containerized environment, potentially compromising the host system if container isolation is not properly configured. This vulnerability shares similarities with other file upload vulnerabilities where improper validation leads to path traversal and subsequent code execution.
CVE-2024-8060 was publicly disclosed on March 20, 2025. The vulnerability's severity is rated HIGH with a CVSS score of 8.1. Currently, there are no known active campaigns exploiting this vulnerability, but the availability of a public proof-of-concept increases the risk of future exploitation. It is not currently listed on the CISA KEV catalog.
Organizations deploying OpenWebUI within Docker containers, particularly those using it for sensitive audio processing tasks, are at significant risk. Shared hosting environments where OpenWebUI is installed could also be vulnerable if multiple users share the same container.
• linux / server: Monitor Docker container logs for unusual file creation or modification activity, particularly within the OpenWebUI application directory. Use journalctl -u openwebui to check for suspicious API calls.
journalctl -u openwebui | grep '/audio/api/v1/transcriptions'• generic web: Monitor web server access logs for requests to /audio/api/v1/transcriptions with unusual or unexpected Content-Type headers.
grep '/audio/api/v1/transcriptions' /var/log/apache2/access.log• python: If you have access to the OpenWebUI source code, review the /audio/api/v1/transcriptions endpoint for inadequate file validation logic.
disclosure
Exploit-Status
EPSS
0.92% (76% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade OpenWebUI to version 0.5.17 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Implement strict input validation on the file.content_type parameter within the /audio/api/v1/transcriptions endpoint. Restrict allowed file extensions to only those explicitly required for transcription processing. Employ a Web Application Firewall (WAF) to filter requests containing suspicious filenames or content types. Monitor container logs for unusual file creation or modification events, particularly within the OpenWebUI container's root directory. After upgrading, confirm the fix by attempting a file upload with a deliberately malicious filename and verifying that the upload is rejected.
Actualice OpenWebUI a una versión posterior a la 0.3.0 que corrija la vulnerabilidad de carga de archivos arbitrarios. Consulte las notas de la versión para obtener más detalles sobre la actualización. Como medida temporal, restrinja el acceso al endpoint `/audio/api/v1/transcriptions` hasta que se pueda realizar la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8060 is a Remote Code Execution vulnerability in OpenWebUI versions up to 0.5.9, allowing authenticated users to upload arbitrary files and potentially gain root access.
You are affected if you are running OpenWebUI version 0.5.9 or earlier. Upgrade to 0.5.17 or later to resolve the vulnerability.
Upgrade OpenWebUI to version 0.5.17 or later. As a temporary workaround, implement a WAF rule to block requests to the vulnerable endpoint.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Refer to the OpenWebUI GitHub repository for updates and advisories regarding CVE-2024-8060: [https://github.com/open-webui/open-webui](https://github.com/open-webui/open-webui)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.