Executive Summary

CVE-2025-63391 is an authentication bypass vulnerability in Open-WebUI versions up to and including 0.6.32. It affects the /api/config API endpoint, which lacks proper authentication and authorization controls. This allows unauthenticated remote attackers to send HTTP GET requests without credentials and retrieve sensitive system configuration data such as authentication status, enabled features, security settings, integration configurations, and user statistics. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to information disclosure by exposing sensitive system configuration data to unauthenticated attackers. Attackers can use this information for reconnaissance to identify security weaknesses and potentially facilitate further unauthorized access attempts, compromising the security of the affected system. [1]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by sending an unauthenticated HTTP GET request to the /api/config endpoint of the Open-WebUI server. If the server responds with sensitive configuration data without requiring authentication, it is vulnerable. For example, you can use the following curl command to test: curl -X GET http://<target-ip-or-hostname>/api/config If the response contains system configuration details without authentication prompts, the vulnerability is present. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the /api/config endpoint by implementing proper authentication and authorization controls. If possible, update Open-WebUI to a version later than 0.6.32 where this issue is fixed. Additionally, consider network-level protections such as firewall rules to limit access to the affected endpoint only to trusted users or systems. [1]

Useful 0 Not Useful 0