| 标题 | open-webui 6.16 Use of Hard-coded Cryptographic Key |
|---|
| 描述 | https://github.com/open-webui/open-webui/blob/4770285c04b81dfc3eb9ac173dfb2a8afef68105/backend/start_windows.bat#L27,In the script
By default%WEBUI_SECRET_KEY%%WEBUI_JWT_SECRET_KEY%is equal to""instead of" ". Therefore, in a Windows environment, when using start_windows.bat to start open-webui, a random JWT_SECRET_KEY cannot be generated correctly, but rather a hard coded one. This situation may be vulnerable to JWT forgery attacks |
|---|
| 来源 | ⚠️ https://huntr.com/bounties/b9fc7fee-d25d-4100-9703-5e78a61e1ce4 |
|---|
| 用户 | I4m6da (UID 95320) |
|---|
| 提交 | 2026-02-24 13時34分 (1 月前) |
|---|
| 管理 | 2026-03-07 18時27分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 349701 [open-webui 直到 0.6.16 JWT Key start_windows.bat WEBUI_SECRET_KEY 弱加密] |
|---|
| 积分 | 20 |
|---|