2026-07-10 · view entry permalink →
Open WebUI's six broken-access-control CVEs are one recurring authorization-architecture defect, not six isolated bugs
CSA Labs' research note ties six broken-access-control CVEs disclosed in the self-hosted Open WebUI LLM front-end between November 2025 and June 2026 to a single architectural cause: authorization implemented ad hoc, endpoint by endpoint, rather than enforced through one policy layer that asks a consistent question — not "is this a valid session" but "is this specific user permitted to perform this specific action on this specific resource" (CSA Labs, 2026-07-10). The most severe, CVE-2025-64496, exploits the Direct Connections feature: the client trusted server-sent events of type "execute" and evaluated them with JavaScript's new Function(), treating output from an attacker-controlled model server as code in the victim's authenticated browser session — enough to steal the auth token from browser local storage, and, for a session holding the workspace.tools permission, to escalate via the backend's unsandboxed Python exec() to full RCE on the host (fixed 0.6.35; NVD later scored it 8.0 versus the advisory's 7.3). Four more affect the 0.9.x line: CVE-2026-44556 (7.1) reaches any configured model through the /api/openai/responses proxy that checks only session validity, not per-model grants (CWE-862); CVE-2026-44557 (4.3) exposes system-wide knowledge-base metadata via an incomplete allowlist; CVE-2026-44564 (5.4) lets a read-only Socket.IO room member emit ydoc:document:update events because the handler checks room membership, not write permission; and CVE-2026-54015 (6.4) is a prompt-history IDOR validating the URL prompt-ID but not the caller-supplied history-ID (CWE-639). CVE-2025-63681 (2.1, task-cancellation IDOR) "remains unpatched as of this writing" (CSA Labs, 2026-07-10); two of the advisories were confirmed against the GitHub Security Advisory Database this run (GitHub Security Advisories; GitHub Security Advisories).
Because Open WebUI is self-hosted rather than a managed service, the compensating-control burden falls on the operator, not a vendor — and self-hosting is exactly the deployment public-sector and research teams choose to keep prompts, documents and credentials off third-party SaaS, which is why the cluster matters to this constituency.
the client trusted server-sent events of type "execute" and evaluated their contents using JavaScript's new Function() constructor -- effectively treating output from an untrusted, attacker-controlled model server as executable code running inside the victim's authenticated browser session
CVE-2025-63681 (the task-cancellation IDOR, CVSS 2.1), has no released patch as of this writing; upgrading to the latest version does not close this cluster's exposure completely.