CVE-2025-63391 identifies a critical authentication bypass vulnerability in Open-WebUI versions up to 0.6.32. The vulnerability resides in the /api/config endpoint, which is designed to provide system configuration data. Due to missing authentication and authorization checks, this endpoint can be accessed remotely by unauthenticated attackers. This flaw allows attackers to retrieve sensitive configuration details that could include system settings, credentials, or other operational parameters. Such exposure can facilitate further attacks, including privilege escalation, lateral movement, or targeted exploitation of the affected system. The vulnerability does not require user interaction or prior authentication, making it straightforward to exploit if the endpoint is exposed to untrusted networks. Although no public exploits have been reported yet, the risk remains significant given the nature of the data exposed. Open-WebUI is commonly used in web-based management interfaces, and its compromise can undermine the security posture of the managed systems. The absence of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

For European organizations, the impact of CVE-2025-63391 can be substantial. Exposure of sensitive configuration data can lead to unauthorized disclosure of operational parameters, potentially including credentials or network configurations. This compromises confidentiality and may enable attackers to manipulate system settings, impacting integrity. The vulnerability could also lead to broader network compromise if attackers leverage the exposed data to pivot within the environment. Organizations relying on Open-WebUI for critical infrastructure management or internal system administration face increased risk of operational disruption and data breaches. The ease of exploitation without authentication increases the threat level, especially for systems accessible from external or semi-trusted networks. The lack of known exploits currently provides a window for proactive mitigation, but the potential for rapid weaponization exists. Failure to address this vulnerability could result in regulatory and compliance issues under European data protection laws if sensitive data is leaked.

To mitigate CVE-2025-63391, organizations should first identify all instances of Open-WebUI in their environment and verify the version in use. Immediate steps include restricting network access to the /api/config endpoint using firewall rules, VPNs, or network segmentation to limit exposure to trusted users only. Implementing web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts can provide additional protection. If possible, upgrade Open-WebUI to a patched version once available or apply vendor-provided workarounds. Monitoring and logging access to the API endpoints should be enhanced to detect anomalous or unauthorized requests promptly. Additionally, reviewing and hardening system configurations and credentials exposed via the interface can reduce the risk of further exploitation. Organizations should also conduct security awareness and incident response planning to prepare for potential exploitation scenarios. Regular vulnerability scanning and penetration testing focused on management interfaces will help identify similar issues proactively.