ctipilot.ch
← Back to the live brief
NOTABLECVE-2025-64496 +5NATOB1research

Open WebUI's six broken-access-control CVEs are one recurring authorization-architecture defect, not six isolated bugs

discovered 2026-07-10 20:34 UTCrun 2026-07-10T2009Z-intel3 sourcesmulti-source

CSA Labs' research note ties six broken-access-control CVEs disclosed in the self-hosted Open WebUI LLM front-end between November 2025 and June 2026 to a single architectural cause: authorization implemented ad hoc, endpoint by endpoint, rather than enforced through one policy layer that asks a consistent question — not "is this a valid session" but "is this specific user permitted to perform this specific action on this specific resource" (CSA Labs, 2026-07-10). The most severe, CVE-2025-64496, exploits the Direct Connections feature: the client trusted server-sent events of type "execute" and evaluated them with JavaScript's new Function(), treating output from an attacker-controlled model server as code in the victim's authenticated browser session — enough to steal the auth token from browser local storage, and, for a session holding the workspace.tools permission, to escalate via the backend's unsandboxed Python exec() to full RCE on the host (fixed 0.6.35; NVD later scored it 8.0 versus the advisory's 7.3). Four more affect the 0.9.x line: CVE-2026-44556 (7.1) reaches any configured model through the /api/openai/responses proxy that checks only session validity, not per-model grants (CWE-862); CVE-2026-44557 (4.3) exposes system-wide knowledge-base metadata via an incomplete allowlist; CVE-2026-44564 (5.4) lets a read-only Socket.IO room member emit ydoc:document:update events because the handler checks room membership, not write permission; and CVE-2026-54015 (6.4) is a prompt-history IDOR validating the URL prompt-ID but not the caller-supplied history-ID (CWE-639). CVE-2025-63681 (2.1, task-cancellation IDOR) "remains unpatched as of this writing" (CSA Labs, 2026-07-10); two of the advisories were confirmed against the GitHub Security Advisory Database this run (GitHub Security Advisories; GitHub Security Advisories).

Because Open WebUI is self-hosted rather than a managed service, the compensating-control burden falls on the operator, not a vendor — and self-hosting is exactly the deployment public-sector and research teams choose to keep prompts, documents and credentials off third-party SaaS, which is why the cluster matters to this constituency.

the client trusted server-sent events of type "execute" and evaluated their contents using JavaScript's new Function() constructor -- effectively treating output from an untrusted, attacker-controlled model server as executable code running inside the victim's authenticated browser session

CVE-2025-63681 (the task-cancellation IDOR, CVSS 2.1), has no released patch as of this writing; upgrading to the latest version does not close this cluster's exposure completely.

Cloud Security Alliance (CSA Labs) 2026-07-10

Defender actions

  • Confirm Open WebUI instances run ≥ 0.9.6; audit which accounts hold the workspace.tools permission and revoke it from any account not authoring executable functions — that permission is what converts client-side token theft into server-side RCE.
  • Restrict the Direct Connections feature to fully-trusted model servers only, and place the Open WebUI admin interface and API behind an authenticating reverse proxy / SSO gateway / VPN rather than exposing it directly — CVE-2025-63681 has no patch, so a compensating control is the only mitigation for it.

ATT&CK mapping

4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1059.006Command and Scripting Interpreter: Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

overlap matrix · ATT&CK page ↗

T1059.007Command and Scripting Interpreter: JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1539Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.