Open WebUI CVE Cluster — Auth Bypass, Data Exposure, and Path Traversal

AI relevance: Open WebUI's Direct Connections feature — which lets users connect to external AI backends — becomes the attack vector for CVE-2025-64496, exposing a pattern where self-hosted AI interfaces ship with insecure defaults that enable authentication bypass and cross-user data access in multi-tenant deployments.

What happened

• Cato CTRL senior security researcher Vitaly Simonovich disclosed CVE-2025-64496 (CVSS 7.3, High severity) affecting Open WebUI versions 0.6.34 and older. The flaw resides in the Direct Connections feature, which allows users to connect to external AI model providers.
• A cluster of related CVEs was disclosed in the same timeframe, revealing systemic authorization and input validation issues:
  • CVE-2026-54011: Stored XSS in Mermaid Markdown preview — rendered SVG inserted into DOM without sanitization
  • CVE-2026-54012: Forged model meta.knowledge allows cross-user file read and deletion
  • CVE-2026-54014: Sibling-prefix path traversal via /cache/{path} endpoint
  • CVE-2026-54016: Broken Object Level Authorization (BOLA) in search_knowledge_files tool
  • CVE-2026-54021: Unguarded url_idx parameter allows targeting arbitrary configured Ollama backends
• The path traversal (CVE-2026-54014) allows any authenticated user to read files from sibling directories outside the intended cache scope.
• The BOLA vulnerability (CVE-2026-54016) in the built-in search_knowledge_files tool enables unauthorized knowledge base file enumeration when native function calling is enabled.
• CVE-2026-54021 is particularly severe for multi-tenant deployments: authenticated users can target arbitrary configured Ollama backends via an unguarded index parameter, potentially accessing models they shouldn't have access to.

Why it matters

Open WebUI is a popular self-hosted interface for LLMs, often deployed in team environments where multiple users share access to the same instance. The Direct Connections feature — designed to let users plug in their own API keys and model endpoints — becomes the attack surface. For AI ops teams, this cluster demonstrates the risk of shipping AI interfaces with permissive authorization models. In a multi-tenant deployment, these flaws enable cross-user data access, backend hijacking, and file system exposure — all from within the authenticated user context.

What to do

• Update Open WebUI to version 0.6.35 or later, which addresses CVE-2025-64496 and the related CVE cluster.
• Audit your Open WebUI deployment for multi-tenant access: if multiple users share the instance, review which users had access during the vulnerable window.
• Check for signs of exploitation: unusual file access patterns, unexpected Ollama backend queries, or knowledge base enumeration logs.
• If you've exposed Open WebUI to the internet, restrict access immediately and review authentication logs for suspicious activity.
• For self-hosted deployments, consider network segmentation: isolate the Open WebUI instance from sensitive internal resources until you've verified patch status.

Sources

• Cato Networks — Cato CTRL Threat Actor Profile: ShinyHunters
• GitLab Advisories — CVE-2026-54011: Open WebUI Stored XSS
• GitLab Advisories — CVE-2026-54012: Cross-user File Read/Deletion
• GitLab Advisories — CVE-2026-54014: Path Traversal
• GitLab Advisories — CVE-2026-54021: Unguarded Ollama Backend Targeting