Improper Authorization in Open WebUI - #VU136842

 

Improper Authorization in Open WebUI - #VU136842

Published: July 3, 2026


Vulnerability identifier: #VU136842
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to continue accessing realtime features with a revoked JWT.

The vulnerability exists due to improper access control in realtime authentication endpoints when validating JWTs for new Socket.IO or terminal websocket connections. A remote user can present a revoked token to continue accessing realtime features with a revoked JWT.

Only deployments with Redis configured are vulnerable. HTTP authentication correctly rejects the revoked token, but realtime connection paths still accept it. Terminal websocket access is affected only when terminal servers are configured.


Remediation

Install security update from vendor's website.

Sources