CVE-2025-15603 PUBLISHED

open-webui JWT Key start_windows.bat random values

Assigner: VulDB
Reserved: 07.03.2026 Published: 09.03.2026 Updated: 09.03.2026

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
CVSS Score: 6.3

Product Status

Vendor n/a
Product open-webui
Versions
  • Version 0.6.0 is affected
  • Version 0.6.1 is affected
  • Version 0.6.2 is affected
  • Version 0.6.3 is affected
  • Version 0.6.4 is affected
  • Version 0.6.5 is affected
  • Version 0.6.6 is affected
  • Version 0.6.7 is affected
  • Version 0.6.8 is affected
  • Version 0.6.9 is affected
  • Version 0.6.10 is affected
  • Version 0.6.11 is affected
  • Version 0.6.12 is affected
  • Version 0.6.13 is affected
  • Version 0.6.14 is affected
  • Version 0.6.15 is affected
  • Version 0.6.16 is affected

Credits

  • I4m6da (VulDB User) reporter

References

Problem Types

  • Insufficiently Random Values CWE
  • Cryptographic Issues CWE