github · Classic298 · Jun 12, 2026
diff --git a/advisories/unreviewed/2026/03/GHSA-2rf6-9rc8-rqch/GHSA-2rf6-9rc8-rqch.json b/advisories/unreviewed/2026/03/GHSA-2rf6-9rc8-rqch/GHSA-2rf6-9rc8-rqch.json
@@ -1,28 +1,41 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2rf6-9rc8-rqch",
-  "modified": "2026-03-09T21:31:38Z",
+  "modified": "2026-03-09T21:31:50Z",
   "published": "2026-03-09T21:31:38Z",
   "aliases": [
     "CVE-2025-15603"
   ],
-  "details": "A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.",
-  "severity": [
+  "summary": "[DISPUTED BY VENDOR] open-webui WEBUI_SECRET_KEY Insufficiently Random Values in start_windows.bat",
+  "details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability. It concerns the entropy of a one-time, first-run fallback in the optional `start_windows.bat` script, reached only when the operator has set no WEBUI_SECRET_KEY and no key file yet exists. The canonical startup paths (`start.sh`, `open-webui serve`) use cryptographic-strength entropy. The reporter's own CVSS rating is 3.7 LOW. This is a configuration default of an optional helper script — out of scope per the Open WebUI security policy (Rules 1, 6). No report on this specific issue was ever filed via the project's GHSA channel; the vendor was not contacted before publication. A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2025-15603/\n\n---\n\nA security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.",
+  "severity": [],
+  "affected": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
-    },
-    {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "package": {
+        "ecosystem": "PyPI",
+        "name": ""
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15603"
     },
+    {
+      "type": "WEB",
+      "url": "https://docs.openwebui.com/security/vendor-dispositions/cve-2025-15603"
+    },
     {
       "type": "WEB",
       "url": "https://huntr.com/bounties/b9fc7fee-d25d-4100-9703-5e78a61e1ce4"
@@ -42,7 +55,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": "MODERATE",
+    "severity": "LOW",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-09T21:16:09Z"