Incorrect Access Control in Open-WebUI Affects Task Management Functionality
CVE-2025-63681

4.3MEDIUM

Key Information:

Vendor: Open-WebUI
Status: Open-WebUI
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-63681?

Open-WebUI version 0.6.33 contains a vulnerability that allows users to circumvent established access controls. The API endpoint /api/tasks/stop/ does not verify ownership of tasks, enabling normal users to stop any running LLM response tasks. This presents a significant security risk, as malicious users could exploit this flaw to disrupt services by canceling critical tasks without authorization.

References

https://github.com/open-webui/open-webui/blob/46ae3f4f5d7...

https://github.com/TOAST-Research/pocs/blob/main/openwebu...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Oct 27, 2025

JSON