Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability in Open WebUI, a self-hosted AI platform, allows authenticated users to execute server-side code by clicking a "Run" button within a chat payload. The issue arises from how chat data is processed, potentially enabling access to administrative functions and commands.
- Stored chat data can execute code on the server.
- Affects self-hosted AI platforms.
- Verify relevance and check exposure.
Attack Path
How an attacker could exploit the issue
An attacker can trick a logged-in user into clicking a "Run" button within Open WebUI. This action allows malicious code, hidden within a chat message, to execute authenticated requests to sensitive admin endpoints on the server by leveraging the platform's client-side Python environment.
- Requires authenticated user interaction.
- Triggered by user clicking "Run".
- Risk of unauthorized server-side code execution.
Live Threat
Current exploitation, exposure, and threat context
When a user interacts with a vulnerable version of Open WebUI and clicks "Run" on a malicious chat payload, it can trigger authenticated, same-origin requests. These requests could potentially reach admin-only endpoints or execute server-side code through configured tools, when supported by the advisory.
- Admin-only endpoints or server-side code.
- Malicious payload execution via user interaction.
- Unauthorized access and server-side actions.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Open WebUI product is a self-hosted AI platform, suggesting that infrastructure or platform teams are likely responsible for its deployment and maintenance. Initial actions should focus on identifying all instances of Open WebUI within the environment, assessing their reachability and business criticality, and locating the accountable owner before planning any remediation.
- Identify affected technology instances and owners.
- Verify instance reachability and business criticality.
- Plan remediation based on identified risk.