The increasing reliance on customizable front-ends for interacting with large language models has created a new frontier for both innovation and security vulnerabilities, where the convenience of open-source solutions can mask underlying risks. A critical flaw identified in Open WebUI, a popular self-hosted web interface, underscores this challenge, exposing users to account and server takeovers. The vulnerability, designated CVE-2025-64496, has a high-severity rating of 7.3 and affects all software versions up to 0.6.34. The flaw fundamentally breaks the chain of trust between the user’s interface and the AI models it connects to, creating an opening for attackers to inject malicious code into a user’s browser session. For organizations that have integrated Open WebUI into their workflows, this represents a significant threat. A successful exploit could expose sensitive conversations and private documents and, in a worst-case scenario, grant an attacker remote code execution on the host server, turning a helpful AI tool into a dangerous backdoor.
The Anatomy of an Exploit
The exploit vector for CVE-2025-64496 originates within a feature known as “Direct Connections,” designed to allow users to link their Open WebUI instance to external, OpenAI-compatible servers. The problem’s core is a critical failure in trust validation; the application assumes messages from these external servers are safe and fails to sanitize them. An attacker can weaponize this trust by persuading a user to connect their interface to a malicious server masquerading as a legitimate AI endpoint. Once this connection is established, the hostile server can transmit a specially crafted server-sent event (SSE) to the victim’s browser. This event is designed to bypass security measures and execute arbitrary JavaScript code within the user’s session. This code execution is the key to the compromise, as its primary goal is to exfiltrate authentication tokens from the browser’s local storage. With these tokens, the attacker hijacks the user’s session, gaining complete control over their account and all associated data.
From Disclosure to Mitigation
The implications of this session hijacking extended beyond simple data theft, creating a pathway for a full server compromise. If a compromised user account possessed “workspace.tools” permissions, an attacker could use their stolen credentials to achieve remote code execution (RCE) on the server hosting the Open WebUI instance. This alarming potential prompted a swift response once the vulnerability was disclosed to the Open WebUI maintainers in October 2025. The flaw’s details were made public on November 7, 2025, concurrently with a patch release. The fix, available in Open WebUI version 0.6.35 and later, addressed the root cause by blocking the malicious server-sent events. While the patch neutralized this threat, researchers stressed that the incident highlighted the need for a more robust security posture. Organizations were advised to look beyond software updates and proactively implement enhanced authentication, process sandboxing, and stricter resource access restrictions to guard against future threats.
