- Open WebUI carried CVE-2025-64496, a high-severity code injection flaw in Direct Connection options
- Exploitation may allow account takeover and RCE through malicious mannequin URLs and Capabilities API chaining
- Patch v0.6.35 provides middleware protections; customers urged to limit Direct Connections and monitor software permissions
Open WebUI, an open-source, self-hosted net interface for interacting with native or distant AI language fashions, carried a high-severity vulnerability that enabled account takeover and, in some instances, distant code execution (RCE), as properly.
That is in keeping with Cato CTRL Senior Safety Researcher Vitaly Simonovich who, in October 2025, disclosed a vulnerability that’s now tracked as CVE-2025-64496.
This bug, which was given a severity rating of 8.0/10 (excessive), is described as a code injection flaw within the Direct Connection options, which permits risk actors to run arbitrary JavaScript in browsers through Server-Despatched Occasion (SSE) execute occasions.
Customers invited to patch
Direct Connections lets customers join the interface on to exterior, OpenAI-compatible mannequin servers by specifying a customized API endpoint.
By abusing the flaw, risk actors can steal tokens and utterly take over compromised accounts. They, in flip, might be chained with the Capabilities API, resulting in distant code execution on the backend server.
The silver lining, in keeping with NVD, is that the sufferer must first allow Direct Connections, which is disabled by default, and add the attacker’s malicious mannequin URL. The latter, nevertheless, might be achieved comparatively simply via social engineering.
Affected variations embody v.0.6.34, and earlier, and customers are suggested to patch to model 0.6.35, or newer. Cato mentioned the repair provides middleware to dam the execution of SSEs from Direct Connection servers.
Moreover, the researchers additionally mentioned customers ought to deal with connections to exterior AI servers like third-party code, and with that in thoughts, ought to restrict Direct Connections solely to correctly vetted companies.
Lastly, customers must also restrict the workspace.instruments permissions to important customers solely and maintain tabs on any suspicious software creations. “It is a typical belief boundary failure between untrusted mannequin servers and a trusted browser context,” Cato concluded.
The very best antivirus for all budgets
Comply with TechRadar on Google Information and add us as a most popular supply to get our skilled information, evaluations, and opinion in your feeds. Be certain that to click on the Comply with button!
And naturally you too can comply with TechRadar on TikTok for information, evaluations, unboxings in video kind, and get common updates from us on WhatsApp too.
