A high-severity vulnerability in Open WebUI could enable account takeover and potentially lead to remote code execution in some configurations, according to research published Monday by Cato Networks. The flaw affects the popular open-source interface for self-hosted AI workflows.

Open WebUI allows external connections to other AI servers via OpenAI-compatible APIs through a feature called Direct Connections. Cato researchers discovered this feature contains a vulnerability, tracked as CVE-2025-64496, that enables potentially dangerous JavaScript code execution within the browser context.

If a user connects to a malicious server through social engineering or an impersonation attack, sending any message to the server could trigger a server-side event that runs JavaScript via a new Function() in the browser. This JavaScript could steal the user’s authentication token from localStorage and send it to the attacker, granting access to the user’s account, chat history, uploaded documents and API keys.

An attacker could achieve remote code execution on the host server if the compromised user has a specific permission called workspace.tools. With this permission, the attacker can use the stolen authentication token to create a malicious tool that executes arbitrary Python code via exec().

No sandboxing or validation is performed when executing this Python code as long as the user has the workspace.tools permission, according to Cato Networks. This allows an attacker to potentially escalate an account takeover to a full system compromise.

Cato CTRL Senior Security Researcher Vitaly Simonovich discovered the vulnerability in October 2025. It was disclosed and patched in November 2025, receiving a CVSS score of 8 from the National Institute of Standards and Technology’s National Vulnerability Database.

The flaw affects Open WebUI versions 0.6.34 and earlier. Users should update to version 0.6.35 or later, which adds middleware to block the execution of server-side events from Direct Connections servers.

Cato recommends treating connections to external AI servers like third-party code and limiting Direct Connections only to properly vetted services. Organizations should also restrict the workspace.tools permission to essential users, monitor for suspicious tool creations and implement policies to regularly rotate Open WebUI tokens.