Open-WebUI Resource Exhaustion Vulnerability Allowing Denial-of-Service Conditions

Vulnerability

A denial-of-service vulnerability has been identified in Open-WebUI version 0.3.32. The issue arises during the sign-in process, where the application fails to validate the character length of email and password inputs. This lack of validation allows users to submit excessively large payloads, which can exhaust server resources such as CPU, memory, and disk space. As a result, the service becomes unavailable to legitimate users, creating a resource exhaustion attack vector that does not require authentication.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to become unresponsive and unavailable for legitimate users.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.7

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.7

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Open-WebUI Resource Exhaustion Vulnerability Allowing Denial-of-Service Conditions

Vulnerability

Impact

Affected Products

open-webui/open-webui

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating