Open WebUI: This WebUI vulnerability allows remote code execution - here's how to stay safe

High-Severity Vulnerability in Open WebUI Enables Account Takeover and RCE

A high-severity code injection flaw, tracked as CVE-2025-64496 (CVSS 8.0), was discovered in Open WebUI, an open-source, self-hosted interface for AI language models. The vulnerability, disclosed in October 2025 by Cato CTRL Senior Security Researcher Vitaly Simonovich, affects versions 0.6.34 and earlier and resides in the Direct Connection feature.

The flaw allows attackers to execute arbitrary JavaScript via Server-Sent Event (SSE) execute events, enabling account takeover through token theft. When chained with the Functions API, the exploit can escalate to remote code execution (RCE) on the backend server.

Exploitation requires victims to enable Direct Connections (disabled by default) and add a malicious model URL, which can be achieved through social engineering. The patch, version 0.6.35, introduces middleware protections to block malicious SSE execution from Direct Connection servers.

Researchers recommend restricting Direct Connections to vetted services, limiting workspace.tools permissions to essential users, and monitoring for suspicious tool creations. The vulnerability highlights a trust boundary failure between untrusted model servers and a trusted browser context.

Source: https://www.techradar.com/pro/security/this-webui-vulnerability-allows-remote-code-execution-heres-how-to-stay-safe

Open WebUI cybersecurity rating report: https://www.rankiteo.com/company/open-webui

"id": "OPE1767733551",
"linkid": "open-webui",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology, Artificial Intelligence',
                        'name': 'Open WebUI',
                        'type': 'Software (Open-Source AI Web Interface)'}],
 'attack_vector': 'Malicious model URLs via Direct Connections, Functions API '
                  'chaining',
 'customer_advisories': 'Monitor tool permissions and suspicious activity; '
                        'treat external AI connections as third-party code',
 'data_breach': {'sensitivity_of_data': 'High (account takeover risk)',
                 'type_of_data_compromised': 'Authentication tokens, account '
                                             'credentials'},
 'date_detected': '2025-10',
 'date_publicly_disclosed': '2025-10',
 'description': 'Open WebUI carried CVE-2025-64496, a high-severity code '
                'injection flaw in Direct Connection features. Exploitation '
                'could enable account takeover and remote code execution (RCE) '
                'via malicious model URLs and Functions API chaining. The '
                'vulnerability allows threat actors to run arbitrary '
                'JavaScript in browsers via Server-Sent Event (SSE) execute '
                'events, leading to token theft and full account compromise.',
 'impact': {'data_compromised': 'Tokens, account credentials',
            'identity_theft_risk': 'High (account takeover)',
            'operational_impact': 'Account takeover, potential remote code '
                                  'execution (RCE)',
            'systems_affected': 'Open WebUI backend servers'},
 'initial_access_broker': {'entry_point': 'Malicious model URLs via Direct '
                                          'Connections'},
 'investigation_status': 'Disclosed, patch available',
 'lessons_learned': 'Treat connections to external AI servers like third-party '
                    'code; limit Direct Connections to vetted services; '
                    'restrict workspace.tools permissions to essential users.',
 'post_incident_analysis': {'corrective_actions': 'Middleware protections, '
                                                  'user education on Direct '
                                                  'Connection risks, '
                                                  'permission restrictions',
                            'root_causes': 'Trust boundary failure between '
                                           'untrusted model servers and '
                                           'trusted browser context'},
 'recommendations': ['Patch to Open WebUI v0.6.35 or newer',
                     'Restrict Direct Connections to properly vetted services',
                     'Limit workspace.tools permissions to essential users',
                     'Monitor for suspicious tool creations',
                     'Enable middleware protections for SSE execution'],
 'references': [{'source': 'Cato CTRL'},
                {'source': 'NVD (National Vulnerability Database)'},
                {'source': 'TechRadar Pro'}],
 'response': {'communication_strategy': 'Public disclosure, patch release, '
                                        'user advisories',
              'containment_measures': 'Patch v0.6.35 released to block SSE '
                                      'execution from Direct Connection '
                                      'servers',
              'enhanced_monitoring': 'Recommended monitoring of suspicious '
                                     'tool creations and workspace.tools '
                                     'permissions',
              'remediation_measures': 'Middleware protections added, users '
                                      'advised to restrict Direct Connections '
                                      'to vetted services',
              'third_party_assistance': 'Cato CTRL (Security Research)'},
 'stakeholder_advisories': 'Users urged to apply patch v0.6.35 and restrict '
                           'Direct Connections',
 'title': 'CVE-2025-64496: Code Injection Flaw in Open WebUI Direct Connection '
          'Features',
 'type': 'Code Injection',
 'vulnerability_exploited': 'CVE-2025-64496'}