## Threat Alert: Account Takeover & RCE Flaw in Open WebUI Puts Enterprise AI Deployments at Risk
Threat Alert: Account Takeover & RCE Flaw in Open WebUI Puts Enterprise AI Deployments at Risk
Executive Summary
Look, there's a nasty security hole (CVE-2025-64496, CVSS 7.3) in Open WebUI—you know, that wildly popular open-source platform for self-hosted AI interfaces. Cato CTRL’s senior researcher Vitaly Simonovich found it. This flaw abuses the platform's "Direct Connections" feature (meant to link users with external AI model servers) to hijack accounts. And get this: with the right permissions, attackers can even pull off full remote code execution (RCE). If you're running any version older than v0.6.35 and handling sensitive data? You’ve got serious exposure.
Impact: Two-Tiered Attack Scenarios
Threat actors get creative here, compromising systems through different paths depending on what permissions victims have.
Account Takeover (All Users)
- How it works: Attackers trick users into connecting to shady AI model servers. Once hooked, the victim’s browser executes malicious JavaScript via
.new Function() - What happens next:
- Their JSON Web Tokens (JWT) get snatched from
.localStorage - Attackers grab everything—chat histories, uploaded docs, API keys, SSO credentials.
- And yeah, they can impersonate the victim forever.
- Their JSON Web Tokens (JWT) get snatched from
Remote Code Execution (Privileged Users)
- Trigger: Only if compromised accounts have
enabled.workspace.tools - Consequences:
- Attackers run any Python code they want through Open WebUI’s Tools API.
- Your backend server’s toast—they’ll steal data, tunnel through your network, and stick around indefinitely.
Scope & Technical Breakdown
Affected? Running Open WebUI ≤v0.6.34 with Direct Connections on.
Patch: v0.6.35 fixes it (middlware now blocks
executeAttack Path: Malicious SSE events → JavaScript injection → token theft → optional RCE chaos.
Technical Roots
-
Frontend Injection (CVE-2025-64496):
The
component naively handles "execute" events usingChat.svelte
, letting attackers run any JavaScript. No safeguards—zero allowlisting, sandboxing, or CSP.new Function()- Exploit Chain: Direct Connections → Hijacked SSE events → token robbery → account takeover.
-
Backend RCE (Bonus Vulnerability):
That
endpoint? It blindly executes Python code via/api/v1/tools/create
. Pair that with a stolen privileged account token, and attackers own your systems.exec()
Why Enterprises Should Sweat:
Open WebUI’s exploding—115,000+ GitHub stars and deployments reaching "hundreds of thousands of seats." Major corporations use it for confidential AI workflows. Imagine what hackers could do with stolen chats, code, or documents?
Disclosure Timeline
Cato CTRL played by the book:
- Oct 8, 2025: Alerted Open WebUI maintainers.
- Oct 19: First patch attempt (didn’t fully fix it).
- Nov 5: Bad news—confirmed attackers could exploit
.admin-token - Nov 7: Public disclosure via GitHub-assigned CVE-2025-64496.
Mitigations & Best Practices
For All Open WebUI Users:
- Patch NOW: Seriously, upgrade to v0.6.35+.
- Lock Down Connections: Don’t link to sketchy model servers—like, ever.
- Least Privilege: Audit who has
permissions and strip them where unnecessary.workspace.tools - Token Hardening: Ditch
JWTs for short-lived,localStorage
cookies.HttpOnly - Watch Tools Closely: Log and scrutinize every Tool creation attempt.
Cato SASE Platform Protections**:
- Block Attacks: Uses IPS, Advanced Threat Prevention (ATP), and Zero Trust (ZTNA) to stop these exploits cold.
- Eyes on Threats: Cato MDR teams automatically spot shady JavaScript and token theft attempts.
Conclusion
Here’s the gut punch: Open WebUI trusted third-party model servers way too much, treating them as harmless data sources when they could stream live code. Yes, v0.6.35 fixes the Direct Connections issue, but companies need to go further: harder auth, sandboxed code execution, and treating "OpenAI-compatible" integrations like ticking time bombs. As AI platforms keep exploding, these supply chain risks demand constant security reviews.
Bottom line: Treat outside LLMs like unvetted code—lock them down relentlessly, monitor everything, and layer your defenses.
More From The Wire
VIEW_ALL
Cisco Issues Critical Patch for Identity Services Engine Flaw Amid Public Exploit Availability
OpenAI Unveils Dedicated Health Chatbot Segment with Rigorous Data Isolation Protections
# ICE's Massive Surveillance Expansion Unveiled: A Domestic Spying Operation Unprecedented in Scale