Skip to content

[GHSA-hqhc-8hp4-hrwc] An authentication bypass vulnerability exists in Open... #8033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Classic298 wants to merge 1 commit into
base: Classic298/advisory-improvement-8033
Choose a base branch
from
+25 −3
Open

[GHSA-hqhc-8hp4-hrwc] An authentication bypass vulnerability exists in Open... #8033

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 25 additions & 3 deletions advisories/unreviewed/2025/12/GHSA-hqhc-8hp4-hrwc/GHSA-hqhc-8hp4-hrwc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,46 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hqhc-8hp4-hrwc",
"modified": "2026-01-22T18:30:29Z",
"modified": "2026-01-22T18:30:30Z",
"published": "2025-12-18T18:30:30Z",
"aliases": [
"CVE-2025-63391"
],
"details": "An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.",
"summary": "[DISPUTED BY VENDOR] Open-WebUI /api/config Authentication Bypass",
"details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability. The cited endpoint (`routers/ollama.py:verify_connection`) is gated by an admin-only authentication dependency — reachable only by administrators verifying a model-server URL they themselves just configured. The \"attacker\" is the administrator typing a URL into a settings field they own. Out of scope per the Open WebUI security policy (Rule 9, Admin Actions). The vendor was not contacted before publication (originated from a personal markdown file in an unrelated GitHub repository, submitted directly to MITRE). A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2025-29446/\n\n---\n\nAn authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": ""
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63391"
},
{
"type": "WEB",
"url": "https://docs.openwebui.com/security/vendor-dispositions/cve-2025-29446"
},
{
"type": "WEB",
"url": "https://gist.github.com/Cristliu/13c41b97285b776275bc8bfd3504e51b"
Expand Down