Can you explain this vulnerability to me?

CVE-2025-63391 is an authentication bypass vulnerability in Open-WebUI versions up to and including 0.6.32. It affects the /api/config API endpoint, which lacks proper authentication and authorization controls. This allows unauthenticated remote attackers to send HTTP GET requests without credentials and retrieve sensitive system configuration data such as authentication status, enabled features, security settings, integration configurations, and user statistics. [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to information disclosure by exposing sensitive system configuration data to unauthenticated attackers. Attackers can use this information for reconnaissance to identify security weaknesses and potentially facilitate further unauthorized access attempts, compromising the security of the affected system. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by sending an unauthenticated HTTP GET request to the /api/config endpoint of the Open-WebUI server. If the server responds with sensitive configuration data without requiring authentication, it is vulnerable. For example, you can use the following curl command to test: curl -X GET http://<target-ip-or-hostname>/api/config If the response contains system configuration details without authentication prompts, the vulnerability is present. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the /api/config endpoint by implementing proper authentication and authorization controls. If possible, update Open-WebUI to a version later than 0.6.32 where this issue is fixed. Additionally, consider network-level protections such as firewall rules to limit access to the affected endpoint only to trusted users or systems. [1]

Useful 0 Not Useful 0