CVE-2026-59715 in Open WebUI
Summary
by MITRE • 07/09/2026
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability identified in Open WebUI versions between 0.6.16 and 0.10.0 represents a critical authorization flaw that undermines the security of collaborative document features. This issue stems from improper session management within the Socket.IO server implementation where the always_connect=True configuration creates an attack surface that allows unauthenticated users to manipulate real-time collaboration states. The vulnerability specifically affects the ydoc:awareness:update and ydoc:document:leave event handlers, which are designed to manage collaborative document environments but fail to validate user authentication status before processing incoming events.
The technical exploitation of this flaw enables attackers to inject malicious updates into document awareness states and force document leave events without proper authentication. This creates a scenario where unauthorized individuals can manipulate the collaborative environment by appearing as active participants or forcing legitimate users from documents, effectively disrupting normal collaboration workflows. The root cause aligns with CWE-287, which addresses improper authentication issues in software systems, and represents a direct violation of the principle of least privilege that should govern all collaborative features within secure applications.
From an operational impact perspective, this vulnerability compromises the integrity of real-time collaborative documents and can lead to data corruption, unauthorized access to sensitive information shared through collaborative environments, and disruption of legitimate user workflows. The attack vector is particularly concerning because it operates at the network level through Socket.IO connections, making detection more challenging for security monitoring systems that typically focus on HTTP-based traffic analysis. This vulnerability also aligns with ATT&CK technique T1078 004, which covers valid accounts used for unauthorized access, as the attack exploits legitimate connection mechanisms without requiring additional credential compromise.
Organizations relying on Open WebUI for collaborative AI platform operations face significant risks including potential data exposure, manipulation of shared documents, and disruption of business-critical workflows. The vulnerability essentially allows attackers to masquerade as authorized users within collaborative sessions, creating a false sense of security while simultaneously undermining the trust model that collaborative document systems depend upon. Security teams should prioritize immediate remediation through upgrading to version 0.10.0 or later, which implements proper authentication validation for all Socket.IO handlers. Additional mitigations include implementing network-level access controls, monitoring Socket.IO connection patterns, and establishing robust session management policies that enforce authentication requirements for all collaborative features.