CVE-2025-64496

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.6.224 and prior Open WebUI versions 0.6.34 and prior Open WebUI version 0.6.33 and prior

Description Open WebUI, a self-hosted artificial intelligence platform, contains a code injection vulnerability within the Direct Connections feature. This flaw allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. Successful exploitation leads to authentication token theft, complete account takeover, and potentially remote code execution on the backend server when chained with the Functions API. The attack requires the victim to enable Direct Connections (which is disabled by default) and add the attacker's malicious model URL, often achieved through social engineering. The vulnerability is exploitable by injecting malicious SSE messages, allowing attackers to execute JavaScript code in the user's browser, steal JWT tokens stored in local storage, and potentially gain full server control. The vulnerability affects versions up to and including 0.6.34 and is resolved in version 0.6.35. Exploitation can occur rapidly, with a time to shell of less than 5 seconds.

Recommendations Open WebUI versions 0.6.224 and prior: Upgrade to version 0.6.35 or later. Open WebUI versions 0.6.34 and prior: Upgrade to version 0.6.35 or later. Open WebUI version 0.6.33 and prior: Upgrade to version 0.6.35 or later.