CVE-2026-59216 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability affects Open WebUI, a self-hosted AI platform designed for local deployment and management of artificial intelligence applications. The flaw exists in the event handling mechanism that processes socket.io events, specifically targeting the get_event_call functionality that manages execute:python and execute:tool events. The vulnerability stems from insufficient authorization checks during session validation, creating a critical security gap that allows unauthorized code execution within user sessions.

The technical implementation of this vulnerability involves a flawed access control mechanism where the system only verifies that a session remains connected without confirming proper authentication or authorization for that specific session. An authenticated attacker who can obtain another user's socket ID through the ydoc:document:join event can exploit this weakness to execute arbitrary Python code or tools within the target user's session context. This represents a privilege escalation vulnerability where session hijacking leads to remote code execution capabilities.

The operational impact of this vulnerability is severe as it allows attackers to gain unauthorized access to user sessions and execute malicious code within the context of those sessions. This could lead to data breaches, system compromise, or unauthorized access to sensitive information processed through the AI platform. The vulnerability affects all versions prior to 0.10.0, making a significant portion of deployments potentially vulnerable to exploitation. The attack requires knowledge of another user's socket ID, but once obtained through the ydoc:document:join mechanism, it provides a direct path to code execution.

This vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and demonstrates how insufficient access controls can lead to privilege escalation scenarios. From an ATT&CK perspective, this maps to T1059.001 for command and scripting interpreter and T1078.004 for valid accounts, as it exploits legitimate session mechanisms to gain unauthorized execution capabilities. The fix implemented in version 0.10.0 addresses the root cause by strengthening session validation to ensure proper authentication before allowing code execution events.

Organizations using Open WebUI versions prior to 0.10.0 should immediately upgrade to the patched version to mitigate this vulnerability. Additional mitigations include implementing network-level access controls, monitoring for unusual socket ID usage patterns, and ensuring proper authentication mechanisms are in place for all session management operations. Security teams should also review their deployment configurations to ensure that socket.io event handling follows proper authorization protocols and that session IDs are properly managed and validated before any execution events are processed.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!