CVE-2025-63391

EUVD-2025-204307
An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
openwebuiopen_webui
𝑥
≤ 0.6.32
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/Cristliu/13c41b97285b776275bc8bfd3504e51b
https://gist.github.com/Cristliu/889471313b3c698fff74d32b7717807c
https://github.com/open-webui/open-webui/issues