Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Open-webui: Weak Secret Key Generation in Windows Startup Script
CVE-2025-15603
Summary
A weakness in open-webui's Windows startup script makes it possible for attackers to generate weak secret keys. This could be exploited remotely, but it would be challenging to do so. To protect yourself, update to a newer version of open-webui.
Original title
A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of t...
Original description
A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used.
nvd CVSS2.0
2.6
nvd CVSS3.1
3.7
nvd CVSS4.0
6.3
Vulnerability type
CWE-310
CWE-330
Use of Insufficiently Random Values
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026