CVE-2025-15603

Summary

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.

Affected Software

VendorProductVersion RangeStatus
n/aopen-webui0.6.0affected
n/aopen-webui0.6.1affected
n/aopen-webui0.6.2affected
n/aopen-webui0.6.3affected
n/aopen-webui0.6.4affected
n/aopen-webui0.6.5affected
n/aopen-webui0.6.6affected
n/aopen-webui0.6.7affected
n/aopen-webui0.6.8affected
n/aopen-webui0.6.9affected
n/aopen-webui0.6.10affected
n/aopen-webui0.6.11affected
n/aopen-webui0.6.12affected
n/aopen-webui0.6.13affected
n/aopen-webui0.6.14affected
n/aopen-webui0.6.15affected
n/aopen-webui0.6.16affected

Weaknesses

  • CWE-330: Insufficiently Random Values
  • CWE-310: Cryptographic Issues

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References