The rapid adoption of self-hosted AI interfaces has introduced powerful new capabilities for organizations, but it also conceals complex security challenges within features designed for convenience. This guide details a critical vulnerability discovered in Open WebUI, a popular interface for large language models. By understanding the anatomy of this threat, administrators can take the necessary steps to secure their instances, protect user data, and fortify their broader AI infrastructure against similar attacks. The following sections provide a comprehensive overview of the vulnerability, a step-by-step breakdown of the attack chain, and actionable guidance for mitigation and long-term security.
A New Threat Emerges Understanding the CVE-2025-64496 Vulnerability
A high-severity vulnerability, officially tracked as CVE-2025-64496, has been identified in the Open WebUI platform, presenting a substantial threat to users and organizations. Security researchers assigned the flaw a 7.3 severity score, reflecting its potential to enable complete account takeover and, under certain conditions, remote code execution (RCE) on the host server. This vulnerability does not require complex prerequisites to exploit, making it a particularly urgent issue for administrators to address. The discovery highlights a growing class of risks associated with interconnected, self-hosted AI systems.
The core of the issue resides within a feature known as “Direct Connections,” and it specifically affects Open WebUI versions 0.6.34 and older. The key takeaways are straightforward: the flaw is triggered when a user connects to a malicious server, the immediate impact is the theft of authentication tokens, and the ultimate risk is a full server compromise. Fortunately, the Open WebUI maintainers responded swiftly after the disclosure in late 2025, and a patch that fully remediates the vulnerability is readily available. Understanding the mechanics of this flaw is the first step toward implementing an effective defense.
The Achilles’ Heel of Open WebUI’s ‘Direct Connections’
Open WebUI serves as a versatile, self-hosted user interface that allows individuals and teams to interact with a wide range of AI models. Its appeal lies in its flexibility, offering a consolidated dashboard for managing different models, chat histories, and system settings. It is designed to connect to various large language model backends, providing a user-friendly layer on top of complex AI infrastructure. This capability makes it a popular choice for developers, researchers, and enterprises looking to build customized AI-powered workflows.
One of its most flexible features, “Direct Connections,” allows users to link their Open WebUI instance directly to external, OpenAI-compatible model servers. This functionality is intended to foster an open ecosystem where users can leverage third-party model providers or distributed internal services. However, this design, which prioritizes interoperability, inadvertently created a critical attack vector. By trusting the data sent from these external servers without sufficient validation, Open WebUI exposed a pathway for an attacker-controlled server to send malicious instructions back to the user’s browser, turning a feature of convenience into a gateway for compromise.
Anatomy of the Attack From Lure to Server Compromise
Step 1 The Social Engineering Lure
The attack begins not with a technical exploit but with human manipulation. An attacker’s primary objective is to convince a legitimate Open WebUI user to add a malicious server address to their “Direct Connections” list. This is typically achieved through social engineering tactics, where the attacker might post a deceptive link on a public forum, in a direct message, or on a community Discord server, promising access to a new, powerful, or uncensored AI model.
The lure is crafted to appear trustworthy and appealing to an unsuspecting user. For instance, the attacker might advertise their server as a free alternative to a premium service or as a specialized model for a niche task. Once the user manually adds the malicious URL in their Open WebUI settings and initiates a connection, the first stage of the attack is complete. The user, believing they are simply accessing a new resource, has unknowingly opened a direct line of communication between their browser and the attacker’s machine.
Step 2 The Malicious Handshake and Payload Delivery
With the connection established, the attack transitions from social engineering to a technical exploit. The attacker-controlled server is configured to respond to the connection request in a very specific way. Instead of engaging in a standard protocol handshake to serve an AI model, the server sends a specially crafted server-sent event (SSE) back to the victim’s browser. This event contains a malicious payload designed to be executed by the browser.
This technique is effective because the Open WebUI front end is designed to process server-sent events to handle streaming responses from AI models. The vulnerability stems from the application’s failure to properly sanitize or validate the content of these events coming from a third-party server. Consequently, the attacker can craft an SSE that the browser misinterprets as executable code, allowing them to bypass security measures that would normally prevent a remote server from running scripts within the context of the user’s session.
Insight How the Server-Sent Event Executes Code
The server-sent event payload is not a typical script but a cleverly disguised instruction that manipulates the web application’s existing functions. It leverages the trust the browser has in the Open WebUI domain to execute arbitrary JavaScript. When the victim’s browser receives the malicious SSE, it processes it as part of the ongoing session. This allows the embedded JavaScript to run with the same permissions as the Open WebUI application itself, granting it access to sensitive information stored within the browser for that specific site. This circumvents the cross-origin policies that normally isolate websites from one another.
Step 3 Hijacking the Session and Exfiltrating Data
The immediate impact of the successful JavaScript execution is the theft of the user’s authentication credentials. The malicious script is programmed to access the browser’s local storage, a small database where websites can store data. For Open WebUI, this is where the user’s authentication token is kept. This token functions like a key, proving the user’s identity to the server for the duration of their session. The script grabs this token and sends it back to the attacker’s server.
With the authentication token in hand, the attacker can now impersonate the victim completely. They can log into the user’s Open WebUI account from anywhere, effectively hijacking the session. This grants them full access to all the user’s data, including private chat histories, documents or files uploaded to the platform, and any credentials or sensitive information that may have been discussed in conversations with the AI models. The compromise extends beyond just viewing data; the attacker can also act on behalf of the user, altering settings or deleting information.
Warning The Dangers of Exposed Chat Histories
The exposure of chat histories represents a particularly severe risk. Users often treat conversations with AI models as private and may discuss proprietary company information, share code snippets containing API keys, or input personally identifiable information (PII). An attacker gaining access to these logs could lead to intellectual property theft, financial fraud, or further targeted attacks. This turns the user’s entire interaction history into a treasure trove of sensitive data, compounding the damage far beyond the initial account takeover.
Step 4 Escalating Privileges to Server Takeover
For some users, the attack does not stop at account takeover. The vulnerability can be escalated to a full server compromise if the hijacked account has specific elevated permissions. The key to this escalation is the workspace.tools permission, a setting that allows users to execute system commands through the Open WebUI interface, often for administrative or development tasks.
If an attacker successfully hijacks the account of an administrator or another user with this permission enabled, they can leverage the feature to achieve remote code execution (RCE). By sending commands through the compromised user’s session, the attacker can run arbitrary code directly on the Open WebUI server. This moves the breach from a user-level compromise to a complete takeover of the underlying infrastructure, allowing the attacker to install malware, exfiltrate data from the server itself, or use it as a pivot point to attack other systems on the network.
Critical Risk The Privilege Escalation Vector
The potential for privilege escalation makes administrators and power users the highest-value targets for this attack. A compromise of a standard user’s account is damaging, but the compromise of an administrative account is catastrophic. It could lead to the exposure of all user data on the platform, the destruction of the Open WebUI instance, and a deep, persistent breach of the host system. This escalation vector underscores the importance of applying the principle of least privilege, ensuring that users only have the permissions absolutely necessary for their roles.
Key Takeaways CVE-2025-64496 at a Glance
This vulnerability, identified as CVE-2025-64496, centers on the “Direct Connections” feature within Open WebUI and poses a significant security risk. It directly impacts all instances running version 0.6.34 or any earlier release, leaving a wide range of deployments exposed until they are updated. The primary impact is account takeover, which is accomplished through the theft of authentication tokens stored in the victim’s browser. This alone grants an attacker access to all of a user’s data within the platform.
Moreover, the risk escalates dramatically for users who have been granted workspace.tools permissions. For these accounts, the initial breach can be leveraged to achieve remote code execution, giving the attacker control over the server hosting the Open WebUI instance. The definitive solution to this critical flaw is to update immediately. Administrators must ensure their deployments are running version 0.6.35 or newer, as this release contains the necessary patch to block the malicious server-sent events that enable the exploit.
Beyond the Patch Fortifying Your AI Infrastructure
Simply applying the patch for CVE-2025-64496 is a crucial first step, but this incident serves as a broader warning about the security posture of self-hosted AI tools. As these platforms become more interconnected, the risk of vulnerabilities arising from third-party integrations increases. Organizations should adopt a policy of vetting all external connections and treating any third-party server link as a potential security risk until proven otherwise. This requires a shift in mindset from assuming trust to verifying it.
In line with recommendations from security experts at Cato Networks, administrators should implement a defense-in-depth strategy. This includes strengthening authentication methods across the board by enforcing multi-factor authentication (MFA) wherever possible, which can prevent an attacker from using a stolen token. Furthermore, adhering to the principle of least privilege is paramount. By ensuring that users, especially those with access to sensitive features like workspace.tools, are granted only the minimum permissions necessary, organizations can limit the potential damage of a compromised account and prevent an account takeover from escalating into a full server compromise.
Final Verdict A Call for Urgent Action and Vigilance
The discovery of CVE-2025-64496 in Open WebUI is a stark reminder that even features designed for flexibility and openness can harbor critical security flaws. The potential for account takeover and server compromise presents a severe and immediate risk to any organization or individual running a vulnerable version. The path from a simple, deceptive link to a full-scale system breach is alarmingly short, making inaction a significant liability. Therefore, a strong and immediate call to action is necessary for all administrators managing Open WebUI instances. The primary directive is clear: update all deployments to version 0.6.35 or a more recent version without delay to apply the official patch. This single action is the most effective measure to neutralize the threat. Beyond this immediate fix, the incident highlights the ongoing need for robust security hygiene. This includes conducting regular software updates, providing users with awareness training to help them recognize and avoid social engineering lures, and consistently reviewing user permissions to enforce the principle of least privilege. Continuous vigilance is the only sustainable defense against the evolving threat landscape targeting AI infrastructure.