CVE-2024-8060: Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions

March 20, 2025 (updated March 21, 2025)

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint /audio/api/v1/transcriptions that allows for arbitrary file upload. The application performs insufficient validation on the file.content_type and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user.

References

github.com/advisories/GHSA-ff5c-56m7-vc75
github.com/open-webui/open-webui
github.com/open-webui/open-webui/commit/613a087387c094e71ee91d29c015195ef401e160
huntr.com/bounties/a3b1a4b7-c723-496d-842c-844cc0988fe9
nvd.nist.gov/vuln/detail/CVE-2024-8060

Code Behaviors & Features

Detect and mitigate CVE-2024-8060 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →