CVE-2025-63681

Publication date

2025-12-04 00:00:00

Family

mitre

State

PUBLISHED

Description

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.