(Image credit: Getty Images)
- Open WebUI carried CVE-2025-64496, a high-severity code injection flaw in Direct Connection features
- Exploitation could enable account takeover and RCE via malicious model URLs and Functions API chaining
- Patch v0.6.35 adds middleware protections; users urged to restrict Direct Connections and monitor tool permissions
Open WebUI, an open-source, self-hosted web interface for interacting with local or remote AI language models, carried a high-severity vulnerability that enabled account takeover and, in some cases, remote code execution (RCE), as well.
This is according to Cato CTRL Senior Security Researcher Vitaly Simonovich who, in October 2025, disclosed a vulnerability that …
(Image credit: Getty Images)
- Open WebUI carried CVE-2025-64496, a high-severity code injection flaw in Direct Connection features
- Exploitation could enable account takeover and RCE via malicious model URLs and Functions API chaining
- Patch v0.6.35 adds middleware protections; users urged to restrict Direct Connections and monitor tool permissions
Open WebUI, an open-source, self-hosted web interface for interacting with local or remote AI language models, carried a high-severity vulnerability that enabled account takeover and, in some cases, remote code execution (RCE), as well.
This is according to Cato CTRL Senior Security Researcher Vitaly Simonovich who, in October 2025, disclosed a vulnerability that is now tracked as CVE-2025-64496.
This bug, which was given a severity score of 8.0/10 (high), is described as a code injection flaw in the Direct Connection features, which allows threat actors to run arbitrary JavaScript in browsers via Server-Sent Event (SSE) execute events.
Users invited to patch
Direct Connections lets users connect the interface directly to external, OpenAI-compatible model servers by specifying a custom API endpoint.
By abusing the flaw, threat actors can steal tokens and completely take over compromised accounts. They, in turn, can be chained with the Functions API, leading to remote code execution on the backend server.
The silver lining, according to NVD, is that the victim needs to first enable Direct Connections, which is disabled by default, and add the attacker’s malicious model URL. The latter, however, can be achieved relatively easily through social engineering.
Affected versions include v.0.6.34, and earlier, and users are advised to patch to version 0.6.35, or newer. Cato said the fix adds middleware to block the execution of SSEs from Direct Connection servers.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Furthermore, the researchers also said users should treat connections to external AI servers like third-party code, and with that in mind, should limit Direct Connections only to properly vetted services.
Finally, users should also limit the workspace.tools permissions to essential users only and keep tabs on any suspicious tool creations. “This is a typical trust boundary failure between untrusted model servers and a trusted browser context,” Cato concluded.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.