CVE-2025-63681 — LOW AI Security Vulnerability

CISO Take

CVE-2025-63681 is a broken object-level authorization flaw in Open-WebUI v0.6.33 that lets any authenticated user cancel any other user's running LLM inference task—no privilege escalation required. While CVSS is low and there is no data exposure, in multi-user or enterprise deployments a single compromised or malicious account can silently kill production inference workflows on demand. Upgrade when a patch ships; interim mitigation is restricting /api/tasks/stop/ to admin roles at the reverse proxy layer.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.6.33	No patch

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. Patch: No official fix released at CVE publication—monitor open-webui GitHub releases and apply promptly when available. 2. Workaround: Add reverse proxy rule (nginx/Caddy) to block or restrict POST /api/tasks/stop/ to admin session tokens only. 3. Detection: Correlate /api/tasks/stop/ API calls with task ownership logs—alert when the calling user_id does not match the task creator user_id. 4. Network control: If Open-WebUI is internal tooling, ensure /api/ endpoints are not externally reachable. 5. Access hygiene: Audit and prune Open-WebUI accounts—remove dormant or shared credentials that could be abused.

Classification

Auth Bypass DoS API Inference Framework AML.T0012 - Valid Accounts AML.T0029 - Denial of AI Service AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Access to AI systems and tools

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM06 - Excessive Agency

Technical Details

NVD Description

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

Exploitation Scenario

A disgruntled employee with a standard Open-WebUI account targets a colleague running a time-sensitive 45-minute LLM document analysis job. After observing the task initiation in the shared UI, the attacker calls POST /api/tasks/stop/{task_id} using their own valid session cookie—no elevated privileges, no special tooling, just curl. The task terminates silently with no attribution in the UI. The attacker repeats this pattern against any user's active jobs, creating sustained service degradation that appears as system instability rather than targeted interference. No native audit trail ties the stop event to the attacker's identity.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary

References

Timeline

Published

December 4, 2025

Last Modified

December 5, 2025

First Seen

March 24, 2026