CVE-2025-63681 — LOW AI Security Vulnerability

Q: Is CVE-2025-63681 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-63681, increasing the risk of exploitation.

Q: How to fix CVE-2025-63681?

1. Patch: No official fix released at CVE publication—monitor open-webui GitHub releases and apply promptly when available. 2. Workaround: Add reverse proxy rule (nginx/Caddy) to block or restrict POST /api/tasks/stop/ to admin session tokens only. 3. Detection: Correlate /api/tasks/stop/ API calls with task ownership logs—alert when the calling user_id does not match the task creator user_id. 4. Network control: If Open-WebUI is internal tooling, ensure /api/ endpoints are not externally reachable. 5. Access hygiene: Audit and prune Open-WebUI accounts—remove dormant or shared credentials that could be abused.

Q: What systems are affected by CVE-2025-63681?

This vulnerability affects the following AI/ML architecture patterns: LLM frontend/UI platforms, multi-user inference serving, self-hosted AI assistants, agentic workflow orchestration.

Q: What is the CVSS score for CVE-2025-63681?

No CVSS score has been assigned yet.

CISO Take

CVE-2025-63681 is a broken object-level authorization flaw in Open-WebUI v0.6.33 that lets any authenticated user cancel any other user's running LLM inference task—no privilege escalation required. While CVSS is low and there is no data exposure, in multi-user or enterprise deployments a single compromised or malicious account can silently kill production inference workflows on demand. Upgrade when a patch ships; interim mitigation is restricting /api/tasks/stop/ to admin roles at the reverse proxy layer.

Risk Assessment

Low overall risk, but contextually elevated in multi-tenant Open-WebUI deployments where business-critical LLM workflows run. Exploitation requires only a valid authenticated session—no special AI/ML knowledge needed. No data exfiltration, no RCE, no admin escalation. Risk amplifies in environments where long-running agentic or batch LLM jobs are business-critical (contract analysis, report generation, automated triage). EPSS 0.00013 confirms negligible exploit-in-the-wild activity at time of disclosure. Primary threat vector is insider threat or post-credential-compromise lateral movement.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.6.33	No patch
135.3K Pushed 8d ago 58% patched ~9d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

Patch: No official fix released at CVE publication—monitor open-webui GitHub releases and apply promptly when available.
Workaround: Add reverse proxy rule (nginx/Caddy) to block or restrict POST /api/tasks/stop/ to admin session tokens only.
Detection: Correlate /api/tasks/stop/ API calls with task ownership logs—alert when the calling user_id does not match the task creator user_id.
Network control: If Open-WebUI is internal tooling, ensure /api/ endpoints are not externally reachable.
Access hygiene: Audit and prune Open-WebUI accounts—remove dormant or shared credentials that could be abused.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass DoS API Inference Framework AML.T0012 - Valid Accounts AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Access to AI systems and tools

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-63681?

CVE-2025-63681 is a broken object-level authorization flaw in Open-WebUI v0.6.33 that lets any authenticated user cancel any other user's running LLM inference task—no privilege escalation required. While CVSS is low and there is no data exposure, in multi-user or enterprise deployments a single compromised or malicious account can silently kill production inference workflows on demand. Upgrade when a patch ships; interim mitigation is restricting /api/tasks/stop/ to admin roles at the reverse proxy layer.

Is CVE-2025-63681 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-63681, increasing the risk of exploitation.

How to fix CVE-2025-63681?

1. Patch: No official fix released at CVE publication—monitor open-webui GitHub releases and apply promptly when available. 2. Workaround: Add reverse proxy rule (nginx/Caddy) to block or restrict POST /api/tasks/stop/ to admin session tokens only. 3. Detection: Correlate /api/tasks/stop/ API calls with task ownership logs—alert when the calling user_id does not match the task creator user_id. 4. Network control: If Open-WebUI is internal tooling, ensure /api/ endpoints are not externally reachable. 5. Access hygiene: Audit and prune Open-WebUI accounts—remove dormant or shared credentials that could be abused.

What systems are affected by CVE-2025-63681?

This vulnerability affects the following AI/ML architecture patterns: LLM frontend/UI platforms, multi-user inference serving, self-hosted AI assistants, agentic workflow orchestration.

What is the CVSS score for CVE-2025-63681?

No CVSS score has been assigned yet.

Technical Details

NVD Description

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

Exploitation Scenario

A disgruntled employee with a standard Open-WebUI account targets a colleague running a time-sensitive 45-minute LLM document analysis job. After observing the task initiation in the shared UI, the attacker calls POST /api/tasks/stop/{task_id} using their own valid session cookie—no elevated privileges, no special tooling, just curl. The task terminates silently with no attribution in the UI. The attacker repeats this pattern against any user's active jobs, creating sustained service degradation that appears as system instability rather than targeted interference. No native audit trail ties the stop event to the attacker's identity.