CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2025-63681

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 0.3%

CVSS Severity

CVSS v3 Score 4.3

References

https://github.com/TOAST-Research/pocs/blob/main/openwebui/arbitirary_task_stop/report.md
https://github.com/open-webui/open-webui/blob/46ae3f4f5d7d4d706041bdae4ad2d802e568712b/backend/open_webui/main.py#L1652
https://github.com/TOAST-Research/pocs/blob/main/openwebui/arbitirary_task_stop/report.md

Products affected by CVE-2025-63681

Openwebui » Open Webui » Version: 0.6.41

cpe:2.3:a:openwebui:open_webui:0.6.41

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-63681

Products

Pricing

Contact Us