A high-severity vulnerability in Open WebUI has been identified, potentially allowing remote code execution and account takeover. This flaw, tracked as CVE-2025-64496, was disclosed by Vitaly Simonovich, a senior security researcher at Cato CTRL, in October 2025. The vulnerability affects the platform’s Direct Connection features, which facilitate the interaction with external AI language models.
The vulnerability has a severity score of 8.0 out of 10, indicating its critical nature. It is categorized as a code injection flaw that enables threat actors to run arbitrary JavaScript in web browsers through Server-Sent Event (SSE) execute events. Users have been urged to take immediate action to mitigate the risks associated with this vulnerability.
Understanding the Risks of Direct Connections
Direct Connections allow users to link Open WebUI directly to external, OpenAI-compatible model servers by specifying a custom API endpoint. Exploiting the identified flaw, attackers can steal user tokens and completely take over compromised accounts. This takeover can further lead to remote code execution on the backend server by chaining the attack with the Functions API.
While the vulnerability poses a significant risk, it is important to note that Direct Connections are disabled by default. Users must actively enable this feature and input an attacker’s malicious model URL, which can be achieved through social engineering tactics.
Affected versions of Open WebUI include any prior to version 0.6.34. Users are strongly advised to update to version 0.6.35 or later. The latest patch introduces middleware designed to block the execution of SSEs from potentially harmful Direct Connection servers.
Recommended Security Practices
In addition to updating software, security researchers recommend treating connections to external AI servers with caution. Users should limit Direct Connections to only those services that have been thoroughly vetted. Furthermore, they should restrict permissions within the workspace.tools to essential users only and monitor for any suspicious tool creations.
“This is a typical trust boundary failure between untrusted model servers and a trusted browser context,” Simonovich stated, emphasizing the need for heightened security awareness among users.
By taking these precautions, Open WebUI users can significantly reduce their exposure to potential threats associated with this vulnerability. Keeping software updated and maintaining strict security practices is crucial in today’s digital landscape to safeguard against evolving cyber threats.
