HighPublic exploit

Open WebUI Direct Connections SSE execute event code injection

IdentifiersCVE-2025-64496CWE-79

CVE-2025-64496 is a code injection / cross-site scripting vulnerability in Open WebUI's Direct Connections feature. In affected versions, malicious external OpenAI-compatible model servers can send crafted Server-Sent Event (SSE) messages, specifically 'execute' events, that are handled insecurely by the client and result in arbitrary JavaScript execution in the victim's browser context. The issue affects Open WebUI versions prior to 0.6.35; supporting content also states versions up to and including 0.6.34 are affected, while another source references 0.6.224 and prior, but the consistent fix version is 0.6.35. Successful exploitation allows theft of authentication tokens such as JWTs stored in localStorage, leading to session hijacking and account takeover. If the compromised account has access to the Functions/Tools API, the attacker can submit authenticated Python code that is executed on the backend without effective sandboxing or validation, resulting in remote code execution on the server.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Exploitation provides arbitrary JavaScript execution in the browser of a user connected to a malicious model server, enabling theft of authentication tokens, session hijacking, and full account takeover, including administrative accounts if targeted. Attackers can access the victim's AI workspace, chats, documents, and embedded API keys. When the stolen session belongs to a user permitted to use Workspace Tools / Functions API, the attacker can chain the issue into backend remote code execution by injecting authenticated Python code. This can enable persistence, access to sensitive server-side data, internal network access, and lateral movement from the Open WebUI host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, keep Direct Connections disabled; it is disabled by default. Do not add or permit untrusted external model server URLs, and restrict Direct Connections to a tightly controlled allowlist of trusted providers/endpoints. Limit which users, especially administrators, can enable or configure Direct Connections. Treat socially engineered model URLs as hostile. Additional hardening recommended in the supporting content includes replacing long-lived localStorage tokens with short-lived rotating HttpOnly cookies and enforcing a strict Content Security Policy to reduce script execution and token exposure risk.

Remediation

Patch, then assume compromise.

Upgrade Open WebUI to version 0.6.35 or later. The fix blocks 'execute' SSE events from Direct Connections. Ensure all deployments running affected versions are updated promptly, including any package sources used for installation. After patching, review active sessions and rotate potentially exposed authentication tokens, especially if untrusted Direct Connections were previously used. Review and restrict permissions to the Functions/Tools API where possible.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

OpenwebuiOpen-Webuiapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app

the hacker newsNews

Jan 8, 2026

ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories

A high-severity flaw in Open WebUI (CVE-2025-64496) allows account takeover and potential remote code execution if a user connects to a malicious external AI model server.

cso onlineNews

Jan 7, 2026

Bug in Open WebUI macht Kostenlos-Tool zur Backdoor

A high-severity vulnerability in Open WebUI (up to and including version 0.6.34) allows attackers controlling a malicious model server to inject code via Server-Sent Events (SSE) when the 'Direct Connections' feature is enabled, leading to account takeover and potential remote code execution on backend servers.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-64496

NVD

nvd.nist.gov/vuln/detail/CVE-2025-64496

MITRE CWE · CWE-79

cwe.mitre.org

Patch

github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca

Third Party Advisory

github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx