Code Injection Vulnerability in Open WebUI AI Platform
CVE-2025-64496

7.3HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 8 November 2025

What is CVE-2025-64496?

The Open WebUI platform, known for its self-hosted AI capabilities, contains a code injection vulnerability in the Direct Connections feature. This flaw, present in versions up to 0.6.224, allows malicious external model servers to run arbitrary JavaScript in the victim's browser through Server-Sent Events (SSE). As a result, attackers can hijack authentication tokens, potentially leading to complete account takeovers. When combined with the Functions API, this vulnerability can also enable remote code execution on the backend server. The risk is heightened if users enable Direct Connections—though disabled by default—and inadvertently add a malicious model URL, which may occur through social engineering tactics aimed at the admin and users. This vulnerability has been addressed in version 0.6.35.

Affected Version(s)

open-webui < 0.6.35

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

https://github.com/open-webui/open-webui/commit/8af6a4cf2...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2025
Vulnerability Reserved
Nov 5, 2025

JSON

Open-webui

What is CVE-2025-64496?

Affected Version(s)

References

CVSS V3.1

Timeline