CVE ID: CVE-2025-63391 Date: 2025-12-18 Vendor: Open-WebUI Product: Open-WebUI Affected Versions: <= v0.6.32 Vulnerability Type: Insecure Permissions / Authentication Bypass Severity: Medium (Information Disclosure)
An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.
- Component:
/api/configAPI endpoint, authentication middleware - Vulnerability: Missing access control on configuration endpoint.
Attack Type: Remote
Attack Vectors:
An unauthenticated attacker can send HTTP GET requests to the /api/config endpoint without any authentication credentials. The endpoint fails to implement access control, allowing anonymous users to retrieve comprehensive system configuration information.
Exposed Data:
- Authentication status
- Enabled features
- Security settings
- Integration configurations
- User statistics
Impact:
- Information Disclosure: Information can be used for reconnaissance to identify security weaknesses and plan unauthorized access attempts.
- Vendor Repository: https://github.com/open-webui/open-webui
- Issues: https://github.com/open-webui/open-webui/issues
Discovered and reported by Zhihuang Liu (herecristliu@gmail.com)