+ "details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability. It concerns the entropy of a one-time, first-run fallback in the optional `start_windows.bat` script, reached only when the operator has set no WEBUI_SECRET_KEY and no key file yet exists. The canonical startup paths (`start.sh`, `open-webui serve`) use cryptographic-strength entropy. The reporter's own CVSS rating is 3.7 LOW. This is a configuration default of an optional helper script — out of scope per the Open WebUI security policy (Rules 1, 6). No report on this specific issue was ever filed via the project's GHSA channel; the vendor was not contacted before publication. A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2025-15603/\n\n---\n\nA security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.",
0 commit comments