CVE-2025-63681: Medium severity open-webui open-webui vulnerability
Published Dec 4, 2025
·Updated
open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.
Affected Software
3 affected components
open-webui open-webui
pip/open-webui<=0.6.33
openwebui Open WebUI=0.6.41
Event History
Dec 4, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·04:16 PM
DescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·06:30 PM
Data Sourced
via GitHub·06:30 PM
DescriptionWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-63681?
CVE-2025-63681 has a high severity due to the ability for unauthorized users to cancel arbitrary tasks.
2
How do I fix CVE-2025-63681?
To fix CVE-2025-63681, implement proper access control mechanisms on the /api/tasks/stop/ endpoint.
3
Who is affected by CVE-2025-63681?
CVE-2025-63681 affects users of open-webui version 0.6.33.
4
What type of vulnerability is CVE-2025-63681?
CVE-2025-63681 is classified as an Incorrect Access Control vulnerability.
5
What can attackers do with CVE-2025-63681?
Attackers can stop arbitrary LLM response tasks without verifying user ownership due to the vulnerability.