High-Severity Flaw in Open WebUI Affects AI Connections

The discovery of CVE‑2025‑64496 underscores how seemingly innocuous integration points can become attack vectors in modern AI stacks. Direct Connections was designed to let developers link Open WebUI to any OpenAI‑compatible server, but the feature trusted server‑sent events without validation. By injecting crafted JavaScript, an adversary can harvest JWTs stored in the browser’s localStorage, granting immediate access to user accounts, chat logs, and uploaded documents. For users with elevated workspace permissions, the breach can even evolve into remote code execution, amplifying the risk.

Enterprises adopting self‑hosted AI solutions often prioritize flexibility over hardened security, making them attractive targets for supply‑chain style attacks. The Open WebUI flaw highlights a broader trend: AI‑centric interfaces are increasingly exposed to external model providers, expanding the attack surface beyond traditional APIs. A successful exploit not only compromises confidential business intelligence but also jeopardizes compliance regimes that mandate strict data residency and encryption. As AI workloads proliferate across regulated sectors, the cost of a single token theft can cascade into regulatory fines and reputational damage.

Open WebUI’s response—blocking malicious execute events in version 0.6.35—demonstrates the importance of rapid patch cycles for AI tooling. However, patching alone is insufficient. Organizations should adopt zero‑trust principles, enforce multi‑factor authentication, and sandbox third‑party model endpoints. Regular code reviews of UI components, coupled with monitoring for anomalous SSE traffic, can further reduce exposure. By integrating these defenses, firms can safeguard AI workflows while still leveraging the agility that Open WebUI provides.