Cyber Posture

CVE-2026-45672

High

Published: 15 May 2026

Published
15 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-45672 is a high-severity Incorrect Authorization (CWE-863) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-1 Policy and Procedures
addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

AC-13 Supervision and Review — Access Control
addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

AC-16 Security and Privacy Attributes
addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

AC-17 Remote Access
addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

AC-18 Wireless Access
addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

AC-19 Access Control for Mobile Devices
addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

AC-2 Account Management
addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

AC-20 Use of External Systems
addresses: CWE-863

Ensures authorization decisions for external system use are correctly implemented and enforced.

NVD Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLE_CODE_EXECUTION=false. The feature gate is…

more

not enforced on the API endpoint — the configuration says "disabled" but code still executes. This vulnerability is fixed in 0.8.12.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-863

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence

References