cbcvebase.
CVE-2025-64496
published 2025-11-08

CVE-2025-64496: Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection…

PriorityP260high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
7.77%
93.9th percentile
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.

Affected

5 ranges
VendorProductVersion rangeFixed in
open-webuiopen-webui< 0.6.350.6.35
open-webuiopen-webui>= 0 < 0.9.50.9.5
open-webuiopen-webui>= 0 < 0.6.350.6.35
open-webuiopen-webui>= 0 < 0.6.350.6.35
openwebuiopen_webui< 0.6.350.6.35

Detection & IOCsextracted from sources · hover to see the quote

  • Malicious external model server sends Server-Sent Event (SSE) 'execute' events containing arbitrary JavaScript to victim browsers via the Direct Connections feature of Open WebUI
  • Attack chain leads to authentication token theft and account takeover; when chained with the Functions API, enables remote code execution on the backend server
  • Attack vector requires victim to have Direct Connections enabled and a malicious model URL added; monitor for unexpected external model server URLs configured in Open WebUI Direct Connections settings
  • ·Direct Connections feature is disabled by default; the attack surface only exists when an admin explicitly enables it and adds an attacker-controlled model URL
  • ·Affected versions are 0.6.224 and prior (through 0.6.34); the fix is present in version 0.6.35

CVSS provenance

nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
ghsa5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.