A high-severity vulnerability in Open WebUI could enable account takeover, which could further lead to remote code execution (RCE) in some configurations, Cato Networks researchers revealed Monday.Open WebUI is a popular open-source interface for self-hosted AI workflows that allows for external connections to other AI servers via OpenAI-compatible APIs.This feature for connecting to other servers, called Direct Connections, was found by Cato researchers to have a flaw, tracked as CVE-2025-64496, enabling potentially dangerous JavaScript code execution within the Open WebUI browser context.If a user were to use Direct Connections to connect to a malicious server, for example, due to an impersonation attack or other social-engineering scheme, sending any message to the server could trigger a server-side event (SSE) that runs JavaScript via a new Function() in the browser.This JavaScript could be used to steal the user’s Open WebUI authentication token from localStorage and exfiltrate it to the attacker, granting the attacker access to the user’s account, including chat history, uploaded documents and API keys.
Related reading:
In addition to Open WebUI account takeover, an attacker could achieve RCE on the host server if the compromised user has a specific permission called workspace.tools. With this permission present, the attacker can use the stolen authentication token to create a malicious tool that executes arbitrary Python via exec().As long as the user has the workspace.tools permission, no sandboxing or validation is performed when executing this Python code, according to Cato Networks. Thus, an attacker can potentially escalate an account takeover to a full system compromise.
The vulnerability was originally discovered by Cato CTRL Senior Security Researcher Vitaly Simonovich in October 2025 and first disclosed and patched in November 2025. The vulnerability was assigned a CVSS score of 8 by the National Institute of Standard and Technology’s (NIST) National Vulnerability Database (NVD).The flaw affects Open WebUI versions v.0.6.34 and earlier and users are recommended to patch to version 0.6.35 or later. The patch adds middleware to block the execution of SSEs from Direct Connections servers, according to Cato.Cato also advises users to treat connections to external AI servers like third-party code and limit Direct Connections only to services that have been properly vetted. Additionally, organizations should limit the workspace.tools permission only to essential users, monitor for any suspicious tool creations and implement policies to regularly rotate Open WebUI tokens, Cato said.
Vulnerability Management, Patch/Configuration Management, AI/ML, Identity, Application security, Exposure management
Open WebUI account takeover flaw could lead to remote code execution

An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



