CVE-2024-8060 is a path traversal vulnerability classified under CWE-22 found in OpenWebUI version 0.3.0, specifically in the audio API endpoint `/audio/api/v1/transcriptions`. The vulnerability arises due to insufficient validation of the `file.content_type` and user-controlled filenames during file uploads. This flaw allows an authenticated attacker to craft malicious filenames that traverse directories and overwrite arbitrary files within the Docker container hosting OpenWebUI. Because the application runs inside a Docker container, overwriting critical files can lead to remote code execution with root privileges, effectively compromising the container and potentially the host system if Docker is misconfigured. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based (AV:N). The CVSS v3.0 score is 8.1, indicating high severity, with low attack complexity and no user interaction required. Although no known exploits have been reported in the wild, the potential impact is significant due to the ability to execute arbitrary code as root. The vulnerability highlights the importance of strict input validation and secure handling of file uploads, especially in containerized environments where file system boundaries must be enforced. No patches are currently listed, so organizations must implement compensating controls until an official fix is released.

For European organizations, the impact of CVE-2024-8060 can be severe. Successful exploitation allows attackers to overwrite critical files and execute arbitrary code with root privileges inside the Docker container, potentially leading to full system compromise. This threatens confidentiality, integrity, and availability of affected systems. Organizations using OpenWebUI in production, particularly in sensitive sectors such as finance, healthcare, or critical infrastructure, could face data breaches, service disruptions, and regulatory compliance violations under GDPR. The containerized deployment model may limit lateral movement if properly isolated, but misconfigurations could allow attackers to escape the container and compromise host systems. The requirement for authentication reduces the attack surface but insider threats or compromised credentials could facilitate exploitation. The lack of known exploits suggests a window for proactive mitigation, but also means organizations should prioritize monitoring for suspicious activity related to file uploads and container integrity.

1. Immediately restrict access to the OpenWebUI audio API endpoint to trusted users and networks. 2. Implement strict validation on uploaded file names to disallow path traversal characters such as '../' and enforce whitelisting of allowed file extensions and content types. 3. Use container security best practices: run containers with least privilege, disable root user execution where possible, and apply read-only file system mounts for critical directories. 4. Monitor file system changes within containers and audit logs for unusual file upload activity. 5. Employ network segmentation to isolate OpenWebUI containers from sensitive internal systems. 6. Regularly rotate and enforce strong authentication credentials to reduce risk of compromised accounts. 7. Stay alert for official patches or updates from the OpenWebUI project and apply them promptly once available. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts targeting the vulnerable endpoint. 9. Conduct penetration testing and vulnerability scanning focused on file upload functionalities to identify similar weaknesses.