open-webui JWT Forgery Vulnerability in Windows Startup Script

A vulnerability allowing JSON Web Token (JWT) forgery has been identified in open-webui versions through 0.6.16. The issue arises from the Windows startup script, backend/start_windows.bat, which improperly initializes the WEBUI_SECRET_KEY and WEBUI_JWT_SECRET_KEY variables. This misconfiguration prevents the generation of a secure, random JWT_SECRET_KEY, defaulting instead to a hard-coded value. As a result, an attacker could exploit this flaw to forge JWTs, potentially leading to unauthorized access and privilege escalation.

Impact

Exploitation of this vulnerability allows for JWT forgery, which can be used to gain unauthorized access to sensitive data and elevate privileges from a normal user to an administrator. This could enable an attacker to manipulate system configurations, databases, and files.

Reproduction

To reproduce this vulnerability, use the start_windows.bat file to launch open-webui in a Windows environment. After the application is running, register as an administrator user and keep the application online. Then, use a Python script to connect to the application via WebSocket, retrieve the user ID of the online administrator, and forge a JWT token using the hard-coded secret key. Finally, send a request with the forged token to gain administrator privileges.