CVE-2025-15603
Insufficient Entropy in open-webui JWT Key Handler Allows Remote Attack
Publication date: 2026-03-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-webui | open-webui | From 0.6.0 (inc) to 0.6.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-310 | Cryptographic Issues |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15603 is a security vulnerability in open-webui versions up to 0.6.16, specifically in the JWT Key Handler component within the file backend/start_windows.bat.
The vulnerability arises because the argument WEBUI_SECRET_KEY is manipulated in a way that leads to insufficiently random values being generated for security-critical keys.
This results in the use of hard-coded or predictable cryptographic keys instead of properly randomized ones, which compromises the security of JSON Web Tokens (JWT) used for authentication.
The vulnerability can be exploited remotely without authentication, although the attack requires a high level of complexity and is considered difficult to execute.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform JWT forgery attacks due to the use of insufficiently random or hard-coded cryptographic keys.
Such attacks can compromise the confidentiality of the system by enabling unauthorized access or impersonation through forged authentication tokens.
Since the exploit can be launched remotely without authentication, it poses a risk to systems running affected versions of open-webui, although the attack complexity is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the manipulation of the WEBUI_SECRET_KEY environment variable in the start_windows.bat script of open-webui versions up to 0.6.16, leading to insufficiently random JWT keys.
To detect this vulnerability on your system, you can check the value of the environment variables WEBUI_SECRET_KEY and WEBUI_JWT_SECRET_KEY when the open-webui service is running on a Windows environment.
- Open a command prompt and run: echo %WEBUI_SECRET_KEY%
- Run: echo %WEBUI_JWT_SECRET_KEY%
If these variables are empty strings or hard-coded to non-random values, the system is vulnerable.
Additionally, reviewing the start_windows.bat file around line 27 for the presence of default empty strings or hard-coded keys can help identify the issue.
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been identified for this vulnerability.
The suggested immediate step is to replace the affected component or product version of open-webui with a version that does not contain this vulnerability.
Alternatively, ensure that the WEBUI_SECRET_KEY and WEBUI_JWT_SECRET_KEY environment variables are set to sufficiently random and secure values before starting the application, to avoid the use of hard-coded or empty keys.