Auth bypass in Open-WebUI.

https://www.cve.org/CVERecord?id=CVE-2025-63391

An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.

@cR0w I think this is slop.

@buherator Ugh. You might be right. It was published on the project's Issues page but not the Security page. And reading it is... not great. But MITRE issued a CVE for it so I shared it. Sorry, I can't read through them all, especially if they're things that don't impact my dayjob.

@cR0w That's OK, been there!