If you discover a security vulnerability in Open Computer Use, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, reach out via:
- Telegram: @yambrcom
- GitHub: Private vulnerability reporting
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix or mitigation: Depends on severity
The following are in scope:
- Computer Use Server (
computer-use-server/) - Sandbox container escape
- MCP authentication bypass
- File access outside sandbox
- Open WebUI integration vulnerabilities
This setup is tested in production with 1000+ users on Open WebUI in a self-hosted environment. Key points:
- Docker socket access grants significant host control — run only in trusted environments
- MCP_API_KEY is the only auth for the MCP endpoint — set a strong random key
- File/preview endpoints use chat ID (UUID) as the sole access control — not a real security boundary
- User identity is client-asserted (HTTP headers), not verified server-side
- API credentials (GitLab, Anthropic) are passed in HTTP headers — use HTTPS if exposing externally
- Container runtime is standard Docker (runc), not gVisor — containers share the host kernel. Claude.ai uses gVisor for additional syscall-level isolation. We plan to add optional gVisor support (see roadmap)
For multi-user deployments, see the Security Roadmap in README.md.
These are known limitations with planned fixes:
- Unauthenticated file access: Anyone with a chat ID can download files via
/files/{chat_id}/ - No user verification: Server trusts
X-User-Emailheader without validation - Default credentials:
admin@open-computer-use.dev/adminin Open WebUI auto-init
We are working on per-session signed tokens, JWT validation, and audit logging. See README for the full roadmap.