“Open WebUI shops the JWT token in localStorage,” Cato researchers mentioned in a weblog put up. “Any script working on the web page can entry it. Tokens are long-lived by default, lack HttpOnly, and are cross-tab. When mixed with the execute occasion, this creates a window for account takeover.”
The assault requires the sufferer to allow Direct Connections (disabled by default) and add the attacker’s malicious mannequin URL, based on an NVD description.
Escalating to Distant Code Execution
The chance doesn’t cease at account takeover. If the compromised account has workspace.instruments permissions, attackers can leverage that session token to push authenticated Python code by means of Open WebUI’s Instruments API, which executes with out sandboxing or validation.
This turns a browser-level compromise into full distant code execution on the backend server. As soon as an attacker will get Python execution, they’ll set up persistence mechanisms, pivot into inner networks, entry delicate information shops, or run lateral assaults.
The flaw obtained a excessive severity ranking at 8/10 base rating by NVD, and a 7.3/10 base rating by GitHub. The flaw was rated excessive quite than important, reflecting the truth that exploitation requires the Direct Connections characteristic to be enabled and hinges on a person first being lured into connecting to a malicious exterior mannequin server. Patch mitigation in Open WebUI v0.6.35 entails blocking “execute” SSE occasions from Direct Connections fully, however any group nonetheless on older builds stays uncovered. Moreover, the researchers suggested shifting authentication to short-lived and HttpOnly cookies with rotation. “Pair with a strict CSP and ban dynamic code analysis”, they added.
