CVE-2025-63681 identifies an incorrect access control vulnerability in open-webui version 0.6.33, specifically in the API endpoint /api/tasks/stop/. This endpoint allows users to cancel ongoing large language model (LLM) response tasks. However, the implementation fails to verify whether the requesting user owns the task they are attempting to stop. As a result, any authenticated user with normal privileges can stop arbitrary tasks initiated by other users. This flaw violates the principle of least privilege and task ownership integrity, potentially disrupting legitimate task processing. The vulnerability is classified under CWE-284 (Improper Access Control). The CVSS v3.1 base score is 4.3 (medium), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, no confidentiality or availability impact, but partial integrity impact. There are no known exploits in the wild, and no patches have been released at the time of publication. The vulnerability was reserved on 2025-10-27 and published on 2025-12-04. The lack of ownership verification could be exploited to disrupt workflows by canceling critical LLM tasks, affecting service reliability and user trust in affected deployments.

For European organizations leveraging open-webui for managing LLM tasks, this vulnerability can lead to unauthorized cancellation of critical AI processing jobs. While it does not expose sensitive data or cause denial of service, it undermines task integrity and operational continuity. Disrupted AI workflows could delay business processes relying on LLM outputs, impacting sectors such as finance, healthcare, and research where AI-driven automation is increasingly integrated. The ability for any authenticated user to interfere with others’ tasks could also facilitate insider threats or sabotage in multi-tenant or collaborative environments. Although the vulnerability does not directly compromise confidentiality or availability, the integrity impact may reduce trust in AI service reliability and complicate incident response. Organizations with strict compliance requirements around data processing and task auditing may face regulatory scrutiny if such unauthorized task cancellations affect service guarantees or data handling procedures.

To mitigate CVE-2025-63681, organizations should implement strict access control checks on the /api/tasks/stop/ endpoint to verify that the requesting user owns the task they intend to cancel. This includes enforcing ownership validation in the API logic and applying role-based access controls to restrict task cancellation privileges. Monitoring and alerting on unusual or excessive task stop requests can help detect exploitation attempts. Network segmentation and API gateway controls should limit access to the task management APIs to trusted users and systems. Until an official patch is released, consider disabling or restricting the vulnerable API endpoint if feasible. Additionally, conduct regular audits of task cancellation logs to identify unauthorized actions. Educate users about the risk of misuse and enforce strong authentication mechanisms to reduce the risk of compromised credentials being used to exploit this flaw.