CVE-2025-63681 | THREATINT

Description

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

PUBLISHED Reserved 2025-10-27 | Published 2025-12-04 | Updated 2025-12-05 | Assigner mitre

References

github.com/.../main/openwebui/arbitirary_task_stop/report.md exploit

github.com/...dae4ad2d802e568712b/backend/open_webui/main.py

github.com/.../main/openwebui/arbitirary_task_stop/report.md

cve.org (CVE-2025-63681)

nvd.nist.gov (CVE-2025-63681)