Security researchers have uncovered a serious vulnerability in Open WebUI, a popular self-hosted interface for managing large language models. This flaw could let attackers hijack AI workloads and steal sensitive data. The problem is tied to how the platform handles external connections and server-sent events, or SSEs.

How the Flaw Works and Its Risks

The vulnerability, identified as CVE-2025-64496, stems from unsafe processing of SSEs from external model servers connected via the platform’s Direct Connections feature. This feature was meant to allow users to link Open WebUI to compatible external AI models. However, if an attacker manages to trick a user into connecting to a malicious server—say, by offering a “free GPT-4 alternative”—the server can stream malicious JavaScript code.

This injected code runs within the user’s browser and can access stored tokens, including JSON Web Tokens (JWTs), which are used for authentication. Since Open WebUI stores JWTs in localStorage—a common but insecure practice—these tokens are accessible to any script running on the page. Attackers can use this to take over user accounts, access chats, documents, and even embedded API keys. The flaw impacts versions up to 0.6.34, with a fix available in version 0.6.35. Users are urged to update immediately to protect their systems.

From Account Takeover to Remote Code Execution

The danger doesn’t stop at stealing tokens. If an attacker gains access to an account with certain permissions, they can execute code on the backend server. This is possible because of how the platform handles SSEs tagged as “{type: execute}.” When these events are received from a malicious server, they can trigger the execution of arbitrary JavaScript on the user’s browser.

This JavaScript has full access to the browser’s storage, including JWTs, which can then be used to authenticate further actions. With the right permissions, attackers can push malicious Python code through Open WebUI’s Tools API. This API runs code directly on the server without sandboxing or validation, turning what started as a browser compromise into full remote code execution on the server itself.

Once they have control of the backend, attackers can install persistent malware, access sensitive data, pivot into internal networks, or carry out lateral attacks. The severity of this flaw is rated high, with an 8 out of 10 score by the National Vulnerability Database and 7.3 out of 10 by GitHub. While serious, it’s not labeled as critical because exploitation requires the user to first enable the Direct Connections feature and connect to a malicious server, which involves social engineering.

This vulnerability highlights the importance of cautious external integrations and proper security measures when deploying AI management tools. Enterprises using Open WebUI should patch their systems immediately to prevent potential breaches and safeguard sensitive information.

Inspired by

• https://www.infoworld.com/article/4113142/open-webui-bug-turns-the-free-model-into-an-enterprise-backdoor.html

Sources

• github.com
• catonetworks.com
• csoonline.com
• nist.gov