- Open WebUI carried CVE-2025-64496, a high severity code injection vulnerability in Direct Connection functions
- Exploitation could enable account takeover and RCE via malicious model URLs and Functions API chains
- Patch v0.6.35 adds middleware protection; users are encouraged to limit direct connections and monitor tool permissions
Open WebUI, an open source, self-hosted web interface for interacting with local or remote AI language models, carried a serious vulnerability that allowed account takeover and, in some cases, remote code execution (RCE).
This is according to Cato CTRL Senior Security Researcher Vitaly Simonovich, who in October 2025 disclosed a vulnerability now tracked as CVE-2025-64496.
This bug, which received a severity score of 8.0/10 (High), is described as a code injection flaw in the Direct Connection features that allows threat actors to execute arbitrary JavaScript in browsers via Server-Sent Event (SSE) execution events.
Users invited to patch
Direct Connections lets users connect the interface directly to external, OpenAI-compliant model servers by specifying a custom API endpoint.
By exploiting the flaw, threat actors can steal tokens and completely take over compromised accounts. They can in turn be chained with the Functions API, leading to remote code execution on the backend server.
The advantage, according to NVD, is that the victim must first enable Direct Connections, which is disabled by default, and add the attacker’s malicious model URL. However, the latter can be achieved relatively easily through social engineering.
Affected versions include v.0.6.34 and earlier, and users are advised to patch to version 0.6.35 or later. Cato said the fix adds middleware to block the execution of SSEs from Direct Connection servers.
Moreover, the researchers also said that users should treat connections to external AI servers as third-party code, and with that in mind, they should only limit direct connections to properly vetted services.
Finally, users should also limit the workspace.tools permissions to only important users and watch for any suspicious tool creations. “This is a typical trust boundary error between untrusted model servers and a trusted browser context,” Cato concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
