Skip to content

Commit cd479fd

Browse files
committed
1 parent 98afca5 commit cd479fd

1 file changed

Lines changed: 24 additions & 11 deletions

File tree

advisories/unreviewed/2026/03/GHSA-2rf6-9rc8-rqch/GHSA-2rf6-9rc8-rqch.json

Lines changed: 24 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,41 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2rf6-9rc8-rqch",
4-
"modified": "2026-03-09T21:31:38Z",
4+
"modified": "2026-03-09T21:31:50Z",
55
"published": "2026-03-09T21:31:38Z",
66
"aliases": [
77
"CVE-2025-15603"
88
],
9-
"details": "A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.",
10-
"severity": [
9+
"summary": "[DISPUTED BY VENDOR] open-webui WEBUI_SECRET_KEY Insufficiently Random Values in start_windows.bat",
10+
"details": "> **DISPUTED BY VENDOR (Open WebUI maintainers).** This advisory does not describe a vulnerability. It concerns the entropy of a one-time, first-run fallback in the optional `start_windows.bat` script, reached only when the operator has set no WEBUI_SECRET_KEY and no key file yet exists. The canonical startup paths (`start.sh`, `open-webui serve`) use cryptographic-strength entropy. The reporter's own CVSS rating is 3.7 LOW. This is a configuration default of an optional helper script — out of scope per the Open WebUI security policy (Rules 1, 6). No report on this specific issue was ever filed via the project's GHSA channel; the vendor was not contacted before publication. A formal REJECT request is pending with MITRE. See: https://docs.openwebui.com/security/vendor-dispositions/cve-2025-15603/\n\n---\n\nA security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.",
11+
"severity": [],
12+
"affected": [
1113
{
12-
"type": "CVSS_V3",
13-
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
14-
},
15-
{
16-
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"package": {
15+
"ecosystem": "PyPI",
16+
"name": ""
17+
},
18+
"ranges": [
19+
{
20+
"type": "ECOSYSTEM",
21+
"events": [
22+
{
23+
"introduced": "0"
24+
}
25+
]
26+
}
27+
]
1828
}
1929
],
20-
"affected": [],
2130
"references": [
2231
{
2332
"type": "ADVISORY",
2433
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15603"
2534
},
35+
{
36+
"type": "WEB",
37+
"url": "https://docs.openwebui.com/security/vendor-dispositions/cve-2025-15603"
38+
},
2639
{
2740
"type": "WEB",
2841
"url": "https://huntr.com/bounties/b9fc7fee-d25d-4100-9703-5e78a61e1ce4"
@@ -42,7 +55,7 @@
4255
],
4356
"database_specific": {
4457
"cwe_ids": [],
45-
"severity": "MODERATE",
58+
"severity": "LOW",
4659
"github_reviewed": false,
4760
"github_reviewed_at": null,
4861
"nvd_published_at": "2026-03-09T21:16:09Z"

0 commit comments

Comments
 (0)