Insufficient Verification of Data Authenticity Affecting open-webui package, versions <0.6.30-r1


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.24% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-OPENWEBUI-15406405
  • published5 Mar 2026
  • disclosed22 Sept 2025

Introduced: 22 Sep 2025

CVE-2025-59420  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade Wolfi open-webui to version 0.6.30-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream open-webui package and not the open-webui package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.