CVE-2025-15603
Received Received - Intake
Insufficient Entropy in open-webui JWT Key Handler Allows Remote Attack

Publication date: 2026-03-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15603
EUVD
EUVD-2025-208453
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-webui open-webui From 0.6.0 (inc) to 0.6.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
CWE-310 Cryptographic Issues
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15603 is a security vulnerability in open-webui versions up to 0.6.16, specifically in the JWT Key Handler component within the file backend/start_windows.bat.

The vulnerability arises because the argument WEBUI_SECRET_KEY is manipulated in a way that leads to insufficiently random values being generated for security-critical keys.

This results in the use of hard-coded or predictable cryptographic keys instead of properly randomized ones, which compromises the security of JSON Web Tokens (JWT) used for authentication.

The vulnerability can be exploited remotely without authentication, although the attack requires a high level of complexity and is considered difficult to execute.

Impact Analysis

This vulnerability can impact you by allowing attackers to perform JWT forgery attacks due to the use of insufficiently random or hard-coded cryptographic keys.

Such attacks can compromise the confidentiality of the system by enabling unauthorized access or impersonation through forged authentication tokens.

Since the exploit can be launched remotely without authentication, it poses a risk to systems running affected versions of open-webui, although the attack complexity is high.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the manipulation of the WEBUI_SECRET_KEY environment variable in the start_windows.bat script of open-webui versions up to 0.6.16, leading to insufficiently random JWT keys.

To detect this vulnerability on your system, you can check the value of the environment variables WEBUI_SECRET_KEY and WEBUI_JWT_SECRET_KEY when the open-webui service is running on a Windows environment.

  • Open a command prompt and run: echo %WEBUI_SECRET_KEY%
  • Run: echo %WEBUI_JWT_SECRET_KEY%

If these variables are empty strings or hard-coded to non-random values, the system is vulnerable.

Additionally, reviewing the start_windows.bat file around line 27 for the presence of default empty strings or hard-coded keys can help identify the issue.

Mitigation Strategies

No known countermeasures or mitigations have been identified for this vulnerability.

The suggested immediate step is to replace the affected component or product version of open-webui with a version that does not contain this vulnerability.

Alternatively, ensure that the WEBUI_SECRET_KEY and WEBUI_JWT_SECRET_KEY environment variables are set to sufficiently random and secure values before starting the application, to avoid the use of hard-coded or empty keys.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart