Open WebUI AI Interface Vulnerability Enables Account Takeover and Remote Code Execution

The vulnerability directly involves an AI system (Open WebUI) and its use/malfunction, leading to account takeover and remote code execution, which are clear harms to property and system security. The attack exploits AI system features and permissions, causing direct harm through unauthorized access and potential system compromise. The presence of realized harm risks and the detailed description of the exploit and its consequences meet the criteria for an AI Incident rather than a hazard or complementary information.

The event involves an AI system (Open WebUI) and a security flaw in its use that can lead to serious harm including unauthorized access and remote code execution, which can compromise data and infrastructure. These harms fall under (c) violations of rights and (d) harm to property or communities through unauthorized access and potential data breaches. Since the vulnerability has been exploited or is exploitable leading to these harms, this qualifies as an AI Incident. The description details the direct link between the AI system's malfunction (security flaw) and the harm potential, meeting the criteria for an AI Incident rather than a hazard or complementary information.

The event involves an AI system (Open WebUI) that interfaces with AI model servers, explicitly described as OpenAI-compatible, indicating AI system involvement. The vulnerability arises from the use of the AI system's feature (Direct Connections) and leads to direct harm: account takeover and exposure of sensitive user data, which constitutes harm to property and potentially to user privacy and rights. The harm has already occurred or was imminent before the patch, fulfilling the criteria for an AI Incident. The event is not merely a potential risk or a governance update but a concrete security incident involving AI system misuse and malfunction.

The vulnerability directly involves an AI system (Open WebUI for AI language models) and its misuse or malfunction leads to significant security harm, including remote code execution and account takeover. This fits the definition of an AI Incident because the AI system's malfunction has directly led to a security breach risk that can harm users and their data (harm to property and potentially to persons). Although the patch mitigates the issue, the vulnerability was active and exploitable, thus constituting an incident rather than a mere hazard or complementary information. The article also advises on mitigation, but the primary focus is on the vulnerability and its consequences, not just on the response.

The event involves an AI system (Open WebUI) that interfaces with large language models and enables connections to external AI models. The vulnerability arises from the AI system's use and design, specifically in handling inputs from connected AI models, leading to remote code execution and account hijacking. These outcomes constitute direct harm to property and enterprise networks, fulfilling the criteria for an AI Incident. The description confirms realized harm or active exploitation potential, not just theoretical risk, and the AI system's malfunction or misuse is pivotal to the incident. Therefore, this is classified as an AI Incident.

The vulnerability involves an AI system (Open WebUI) that interfaces with AI model servers and manages AI workflows. The exploitation of this flaw directly leads to unauthorized access and data leakage, which is a violation of user rights and harms the users by exposing sensitive information. Therefore, this event qualifies as an AI Incident because the AI system's use and its security flaw have directly led to harm through data breaches and privacy violations.