- The exposed web interface contains CVE-2025-64496, a severe code injection vulnerability in the direct connect functionality.
- Exploitation can lead to account takeover and RCE via malicious model URLs and API function chain.
- Patch v0.6.35 adds middleware protection; users were urged to limit direct connections and control tool permissions
Open WebUI, a standalone open source web interface for interacting with local or remote AI language modelscontained a high-severity vulnerability that could allow account hijacking and, in some cases, remote code execution (RCE).
This was reported by Cato CTRL senior researcher Vitaly Simonovich, who in October 2025 disclosed a vulnerability that is now tracked as CVE-2025-64496.
This bug, which has been rated as Severity 8.0/10 (High), is described as a code injection flaw in direct connection functions that allows attackers to execute arbitrary JavaScript in browsers via Server Sent Event Execution (SSE) events.
Users are invited to fix
Direct Connections allows users to connect the interface directly to external OpenAI-compatible model servers by specifying a custom API endpoint.
By exploiting this vulnerability, attackers can steal tokens and take full control of compromised accounts. These, in turn, can be linked to the functions API, resulting in remote code execution on the back-end server.
The upside, according to NVD, is that the victim must first enable Direct Connections, which is disabled by default, and add the URL of the attacker's malicious model. The latter, however, can be achieved relatively easily through social engineering.
Affected versions include version 0.6.34 and earlier, and users are advised to patch to version 0.6.35 or later. Cato said the fix adds middleware to block SSE execution from direct connect servers.
In addition, the researchers also stated that users should treat connections to external AI servers as if they were third-party code and, with this in mind, should limit direct connections to only properly vetted services.
Finally, users should also limit workspace.tools permissions to primary users only and keep an eye out for the creation of any suspicious tools. “This is a typical failure of the trust boundary between the untrusted model servers and the trusted browser context,” Cato concluded.
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
