Open WebUI Direct Connections flaw risks account takeover
⚠️ A high-severity vulnerability (CVE-2025-64496) affecting Open WebUI versions 0.6.34 and earlier can enable account takeover when the Direct Connections feature is enabled. A malicious OpenAI-compatible model server can send a crafted server-sent events message that executes JavaScript in a connected user's browser and steals authentication tokens from localStorage. Open WebUI 0.6.35 and later block the malicious execute events; administrators should upgrade immediately, restrict Direct Connections to trusted endpoints, and strengthen authentication and sandboxing.
