{"id":15417,"date":"2026-01-06T11:26:33","date_gmt":"2026-01-06T11:26:33","guid":{"rendered":"https:\/\/newestek.com\/?p=15417"},"modified":"2026-01-06T11:26:33","modified_gmt":"2026-01-06T11:26:33","slug":"open-webui-bug-turns-free-model-into-an-enterprise-backdoor","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15417","title":{"rendered":"Open WebUI bug turns \u2018free model\u2019 into an enterprise backdoor"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Security researchers have flagged a high-severity flaw in <a href=\"https:\/\/github.com\/open-webui\/open-webui\/commit\/8af6a4cf21b756a66cd58378a01c60f74c39b7ca\">Open WebUI<\/a>, a self-hosted enterprise interface for large language models, that allows external model servers connected via its Direct Connections feature to inject malicious code and hijack AI workloads.<\/p>\n<p>The issue, tracked as CVE-2025-64496, stems from unsafe handling of server-sent events (SSE), enabling account takeover and, in some cases, with extended permissions, remote code execution (RCE)\u00a0 on backend servers.<\/p>\n<p>According to Cato CTRL findings, if an employee connects Open WebUI to an attacker-controlled model endpoint, like under the pretext of a \u201cfree GPT-4 alternative\u201d, the frontend can be tricked into silently executing injected JavaScript. That code steals JSON Web Tokens (JWTs) from the browser context, offering attackers persistent access to the victim\u2019s AI workspace, documents, chats, and embedded API keys.<\/p>\n<p>The bug impacts Open WebUI versions up to 0.6.34 and is fixed in v0.6.35, with enterprises urged to patch production deployments without delay.\u00a0<\/p>\n<h2 class=\"wp-block-heading\" id=\"convenience-feature-turned-into-a-crisis\">Convenience feature turned into a crisis<\/h2>\n<p>Cato researchers <a href=\"https:\/\/www.catonetworks.com\/blog\/cato-ctrl-vulnerability-discovered-open-webui-cve-2025-64496\/\">said<\/a> the problem is Direct Connections, a feature intended to let users connect Open WebUI to external, OpenAI-compatible model servers. The platform\u2019s SSE handler trusts incoming events from these servers, especially those tagged as \u201c{type: execute},\u201d and executes their payload via a dynamic JavaScript constructor.<\/p>\n<p>When a user connects to a malicious server, easily enabled through <a href=\"https:\/\/www.csoonline.com\/article\/4051570\/you-should-be-aware-of-these-latest-social-engineering-trends.html\">social engineering<\/a>, that server can stream an SSE with executable JavaScript. That script runs with full access to the browser\u2019s storage layer, including the JWT used for authentication.<\/p>\n<p>\u201cOpen WebUI stores the JWT token in localStorage,\u201d Cato researchers said in a blog post. \u201cAny script running on the page can access it. Tokens are long-lived by default, lack HttpOnly, and are cross-tab. When combined with the execute event, this creates a window for account takeover.\u201d<\/p>\n<p>The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker\u2019s malicious model URL, according to an NVD <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-64496\">description<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Escalating to Remote Code Execution<\/h2>\n<p>The risk doesn\u2019t stop at account takeover. If the compromised account has workspace.tools permissions, attackers can leverage that session token to push authenticated Python code through Open WebUI\u2019s Tools API, which executes without sandboxing or validation.<\/p>\n<p>This turns a browser-level compromise into full remote code execution on the backend server. Once an attacker gets Python execution, they can install persistence mechanisms, pivot into internal networks, access sensitive data stores, or run lateral attacks.<\/p>\n<p>The flaw received a high severity rating at 8\/10 base score by NVD, and a 7.3\/10 base score by GitHub. The flaw was rated high rather than critical, reflecting the fact that exploitation requires the Direct Connections feature to be enabled and hinges on a user first being lured into connecting to a malicious external model server. Patch mitigation in Open WebUI v0.6.35 involves blocking \u201cexecute\u201d SSE events from Direct Connections entirely, but any organization still on older builds remains exposed. Additionally, the researchers advised moving authentication to short-lived and HttpOnly cookies with rotation. \u201cPair with a strict CSP and ban dynamic code evaluation\u201d, they added.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have flagged a high-severity flaw in Open WebUI, a self-hosted enterprise interface for large language models, that allows external model servers connected via its Direct Connections feature to inject malicious code and hijack AI workloads. The issue, tracked as CVE-2025-64496, stems from unsafe handling of server-sent events (SSE), enabling account takeover and, in some cases, with extended permissions, remote code execution (RCE)\u00a0 on&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15417\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15417","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15417"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15417\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}