CVE-2025-15603 MEDIUM

CVE-2025-15603: open-webui JWT Key start_windows.bat random values

Vendor N/A
Product open-webui
Weakness CWE-330 · Insufficient randomness
Published March 9, 2026
Last update March 10, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.

Key dates

02Disclosure timeline

March 9, 2026 CVE published
March 10, 2026 Record updated