ctipilot.ch

Open WebUI /api/tasks/stop/ IDOR — unauthorized task cancellation (unpatched)

cve · CVE-2025-63681

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
3
2 hosts
Sections touched
1
research
Co-occurring entities
5
see Related entities below
ATT&CK techniques
4
pinned v19.1 · see below

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-10/open-webui-recurring-broken-access-control-cve-cluster · ATT&CK page ↗

Execution TA0002

T1059.006Command and Scripting Interpreter: Python×1

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Evidence: 2026-07-10/open-webui-recurring-broken-access-control-cve-cluster · ATT&CK page ↗

T1059.007Command and Scripting Interpreter: JavaScript×1

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

Evidence: 2026-07-10/open-webui-recurring-broken-access-control-cve-cluster · ATT&CK page ↗

Credential Access TA0006

T1539Steal Web Session Cookie×1

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Evidence: 2026-07-10/open-webui-recurring-broken-access-control-cve-cluster · ATT&CK page ↗

Story timeline

  1. 2026-07-10Open WebUI's six broken-access-control CVEs are one recurring authorization-architecture defect, not six isolated bugs
    researchCSA Labs shows self-hosted Open WebUI has shipped six access-control CVEs since November 2025 — including an XSS-to-RCE chain and one still-unpatched IDOR

Where this entity is cited

  • research1

Source distribution

  • github.com2 (67%)
  • labs.cloudsecurityalliance.org1 (33%)

Related entities

Entries about Open WebUI /api/tasks/stop/ IDOR — unauthorized task cancellation (unpatched) (1)

2026-07-10 · view entry permalink →

NOTABLECVE-2025-64496 +5NATOB1

Open WebUI's six broken-access-control CVEs are one recurring authorization-architecture defect, not six isolated bugs

CSA Labs' research note ties six broken-access-control CVEs disclosed in the self-hosted Open WebUI LLM front-end between November 2025 and June 2026 to a single architectural cause: authorization implemented ad hoc, endpoint by endpoint, rather than enforced through one policy layer that asks a consistent question — not "is this a valid session" but "is this specific user permitted to perform this specific action on this specific resource" (CSA Labs, 2026-07-10). The most severe, CVE-2025-64496, exploits the Direct Connections feature: the client trusted server-sent events of type "execute" and evaluated them with JavaScript's new Function(), treating output from an attacker-controlled model server as code in the victim's authenticated browser session — enough to steal the auth token from browser local storage, and, for a session holding the workspace.tools permission, to escalate via the backend's unsandboxed Python exec() to full RCE on the host (fixed 0.6.35; NVD later scored it 8.0 versus the advisory's 7.3). Four more affect the 0.9.x line: CVE-2026-44556 (7.1) reaches any configured model through the /api/openai/responses proxy that checks only session validity, not per-model grants (CWE-862); CVE-2026-44557 (4.3) exposes system-wide knowledge-base metadata via an incomplete allowlist; CVE-2026-44564 (5.4) lets a read-only Socket.IO room member emit ydoc:document:update events because the handler checks room membership, not write permission; and CVE-2026-54015 (6.4) is a prompt-history IDOR validating the URL prompt-ID but not the caller-supplied history-ID (CWE-639). CVE-2025-63681 (2.1, task-cancellation IDOR) "remains unpatched as of this writing" (CSA Labs, 2026-07-10); two of the advisories were confirmed against the GitHub Security Advisory Database this run (GitHub Security Advisories; GitHub Security Advisories).

Because Open WebUI is self-hosted rather than a managed service, the compensating-control burden falls on the operator, not a vendor — and self-hosting is exactly the deployment public-sector and research teams choose to keep prompts, documents and credentials off third-party SaaS, which is why the cluster matters to this constituency.

the client trusted server-sent events of type "execute" and evaluated their contents using JavaScript's new Function() constructor -- effectively treating output from an untrusted, attacker-controlled model server as executable code running inside the victim's authenticated browser session

CVE-2025-63681 (the task-cancellation IDOR, CVSS 2.1), has no released patch as of this writing; upgrading to the latest version does not close this cluster's exposure completely.

Cloud Security Alliance (CSA Labs) 2026-07-10
research10 Jul 20:34Zmulti-sourceOpen finding ↗