What is the severity of CVE-2024-8060?

CVE-2024-8060 is classified as a critical severity vulnerability due to its potential exploitation through arbitrary file uploads.

How do I fix CVE-2024-8060?

To address CVE-2024-8060, upgrade OpenWebUI to version 0.5.17 or later.

Can CVE-2024-8060 lead to remote code execution?

Yes, CVE-2024-8060 could potentially allow for remote code execution due to the ability for arbitrary file upload.

Is CVE-2024-8060 present in versions prior to 0.3.0?

CVE-2024-8060 does not apply to versions prior to 0.3.0, as it specifically affects version 0.3.0.

Vulnerability/
CVE-2024-8060

high

8.1

CWE

434 22

20/3/2025

21/3/2025

CVE-2024-8060: Remote Code Execution in OpenWebUI via Arbitrary File Upload

Q: What specific component is affected by CVE-2024-8060?

CVE-2024-8060 affects the audio API endpoint `/audio/api/v1/transcriptions` in OpenWebUI version 0.3.0.

First published: Thu Mar 20 2025(Updated: )

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the `file.content_type` and allows user-controlled filenames, leading to a path traversal vulnerability. This can be exploited by an authenticated user to overwrite critical files within the Docker container, potentially leading to remote code execution as the root user.

Credit: security@huntr.dev

Affected Software	Affected Version	How to fix
OpenWebUI
pip/open-webui	<0.5.17	0.5.17

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-8060?
CVE-2024-8060 is classified as a critical severity vulnerability due to its potential exploitation through arbitrary file uploads.
How do I fix CVE-2024-8060?
To address CVE-2024-8060, upgrade OpenWebUI to version 0.5.17 or later.
What specific component is affected by CVE-2024-8060?
CVE-2024-8060 affects the audio API endpoint `/audio/api/v1/transcriptions` in OpenWebUI version 0.3.0.
Can CVE-2024-8060 lead to remote code execution?
Yes, CVE-2024-8060 could potentially allow for remote code execution due to the ability for arbitrary file upload.
Is CVE-2024-8060 present in versions prior to 0.3.0?
CVE-2024-8060 does not apply to versions prior to 0.3.0, as it specifically affects version 0.3.0.

agent/title
agent/weakness
agent/type
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
collector/nvd-api
source/NVD
agent/author
agent/severity
collector/github-advisory-latest
source/GitHub
alias/GHSA-ff5c-56m7-vc75
alias/CVE-2024-8060
agent/references
agent/source
agent/last-modified-date
agent/softwarecombine
agent/event
collector/nvd-cve
agent/tags
collector/mitre-cve
source/MITRE
collector/github-advisory
vendor/openwebui
canonical/openwebui
package-manager/pip

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.