Improper Authorization in Open WebUI - #VU130167
Published: May 5, 2026
Vulnerability identifier: #VU130167
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to read and modify other users' notes.
The vulnerability exists due to improper access control in the Socket.IO session pool and Yjs collaborative document handlers when processing Socket.IO events after an administrative role change or user deletion. A remote user can keep a previously established Socket.IO session alive and send crafted ydoc document join and update events to read and modify other users' notes.
HTTP endpoints are not affected. Exploitation requires an active Socket.IO session that was established while the user still had the admin role, and the stale session can persist through heartbeat events.
Remediation
Install security update from vendor's website.