CVE-2025-63391 is a high-severity authentication bypass vulnerability found in Open-WebUI versions up to 0.6.32. The vulnerability resides in the /api/config REST API endpoint, which lacks proper authentication and authorization mechanisms. This flaw allows unauthenticated remote attackers to retrieve sensitive system configuration data without any credentials or user interaction. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The CVSS v3.1 base score is 7.5, reflecting the ease of remote exploitation (attack vector: network), low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can access sensitive configuration details that could facilitate further attacks or system compromise. There is no reported impact on integrity or availability. No patches or exploit code are currently publicly available, but the vulnerability is published and should be treated as a significant risk. Open-WebUI is often used in web-based management interfaces for various systems, making this vulnerability particularly dangerous if exposed to untrusted networks. The lack of authentication on a critical configuration endpoint represents a serious security oversight that could lead to information disclosure and potential follow-on attacks.

For European organizations, this vulnerability poses a significant risk of sensitive configuration data exposure, which could include credentials, network settings, or system parameters. Such exposure can facilitate lateral movement, privilege escalation, or targeted attacks against critical infrastructure or enterprise systems. Organizations in sectors such as energy, telecommunications, manufacturing, and government that utilize Open-WebUI for device or system management are particularly at risk. The confidentiality breach could lead to regulatory non-compliance under GDPR if personal or sensitive data is indirectly exposed. Although no integrity or availability impact is reported, the information disclosure alone can undermine trust and security posture. The lack of known exploits in the wild currently reduces immediate risk, but the vulnerability’s ease of exploitation and network accessibility make it a likely target for attackers once exploit code becomes available.

1. Immediately restrict network access to the /api/config endpoint using firewall rules or network segmentation to limit exposure to trusted management networks only. 2. Monitor network traffic for unauthorized access attempts to the vulnerable endpoint. 3. Implement strong authentication and authorization controls at the application or proxy level if possible, to enforce access restrictions until an official patch is released. 4. Stay informed on Open-WebUI updates and apply security patches promptly once available. 5. Conduct security audits and penetration testing focused on web management interfaces to identify similar vulnerabilities. 6. Employ intrusion detection/prevention systems (IDS/IPS) to detect anomalous API access patterns. 7. Educate system administrators about the risks of exposing management interfaces to untrusted networks. 8. Consider temporary disabling or replacing Open-WebUI with alternative management solutions if feasible until the vulnerability is remediated.