PT-2025-49046 · Unknown · Open-Webui
Published
2025-12-04
·
Updated
2025-12-05
·
CVE-2025-63681
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
open-webui version 0.6.33
Description
The software contains a flaw related to access control. The
/api/tasks/stop/ API endpoint allows direct access and cancellation of tasks without verifying user ownership. This enables an attacker, even a normal user, to stop any LLM response task. The vulnerable parameter is not specified.Recommendations
Apply updates to address the access control issue in the
/api/tasks/stop/ API endpoint.Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open-Webui