WebUI vulnerability may allow remote code execution

A high-severity WebUI vulnerability (CVE-2025-64496) could enable account takeover and remote code execution; a patch was released in v0.6.35 with middleware protections and Direct Connections is disabled by default.

A high-severity flaw was reported in Open WebUI that can allow account takeover and, in some cases, remote code execution. The vulnerability was disclosed in October 2025 by Cato CTRL researcher Vitaly Simonovich and is tracked as CVE-2025-64496. The affected feature is Direct Connections, which lets the interface connect to external OpenAI-compatible model servers. Direct Connections is disabled by default. Known details: - The issue is tracked as CVE-2025-64496 with a severity score reported as 8.0/10. - Affected versions include v0.6.34 and earlier. - Patch v0.6.35 was released; the fix adds middleware to block execution of server-sent events from Direct Connection servers. - The flaw is described as a code injection vulnerability in the Direct Connection feature that could lead to account takeover and, in some cases, remote code execution on backend servers. - Researchers advised treating external AI servers as third-party code, limiting Direct Connections to vetted services, and restricting workspace.tools permissions. Summary: The reported flaw could enable account takeover and backend remote code execution. A patch was released in v0.6.35 and Direct Connections is disabled by default. Undetermined at this time.