From cd479fd07fa7b1420051b6d908bb241cd46a6b1d Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Sat, 13 Jun 2026 00:48:57 +0200 Subject: [PATCH] Improve GHSA-2rf6-9rc8-rqch --- .../GHSA-2rf6-9rc8-rqch.json | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/advisories/unreviewed/2026/03/GHSA-2rf6-9rc8-rqch/GHSA-2rf6-9rc8-rqch.json b/advisories/unreviewed/2026/03/GHSA-2rf6-9rc8-rqch/GHSA-2rf6-9rc8-rqch.json index 653e2c6bc734f..019cbc114c3f3 100644 --- a/advisories/unreviewed/2026/03/GHSA-2rf6-9rc8-rqch/GHSA-2rf6-9rc8-rqch.json +++ b/advisories/unreviewed/2026/03/GHSA-2rf6-9rc8-rqch/GHSA-2rf6-9rc8-rqch.json @@ -1,28 +1,41 @@ { "schema_version": "1.4.0", "id": "GHSA-2rf6-9rc8-rqch", - "modified": "2026-03-09T21:31:38Z", + "modified": "2026-03-09T21:31:50Z", "published": "2026-03-09T21:31:38Z", "aliases": [ "CVE-2025-15603" ], - "details": "A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.", - "severity": [ + "summary": "[DISPUTED BY VENDOR] open-webui WEBUI_SECRET_KEY Insufficiently Random Values in start_windows.bat", + "details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability. It concerns the entropy of a one-time, first-run fallback in the optional `start_windows.bat` script, reached only when the operator has set no WEBUI_SECRET_KEY and no key file yet exists. The canonical startup paths (`start.sh`, `open-webui serve`) use cryptographic-strength entropy. The reporter's own CVSS rating is 3.7 LOW. This is a configuration default of an optional helper script — out of scope per the Open WebUI security policy (Rules 1, 6). No report on this specific issue was ever filed via the project's GHSA channel; the vendor was not contacted before publication. A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2025-15603/\n\n---\n\nA security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.", + "severity": [], + "affected": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" - }, - { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "package": { + "ecosystem": "PyPI", + "name": "" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15603" }, + { + "type": "WEB", + "url": "https://docs.openwebui.com/security/vendor-dispositions/cve-2025-15603" + }, { "type": "WEB", "url": "https://huntr.com/bounties/b9fc7fee-d25d-4100-9703-5e78a61e1ce4" @@ -42,7 +55,7 @@ ], "database_specific": { "cwe_ids": [], - "severity": "MODERATE", + "severity": "LOW", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-03-09T21:16:09Z"