Missing Authentication for Critical Function in Open WebUI - #VU136844
Published: July 3, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to manipulate collaborative document session state.
The vulnerability exists due to missing authentication for critical function in the Socket.IO Ydoc event handlers `ydoc:awareness:update` and `ydoc:document:leave` when handling WebSocket events for collaborative document sessions. A remote user can send crafted Socket.IO events with spoofed user identifiers to manipulate collaborative document session state.
This can be used to spoof user presence and cursor awareness data in document rooms, and to broadcast false user-left events.