Missing Authentication for Critical Function in Open WebUI - #VU136844

 

Missing Authentication for Critical Function in Open WebUI - #VU136844

Published: July 3, 2026


Vulnerability identifier: #VU136844
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to manipulate collaborative document session state.

The vulnerability exists due to missing authentication for critical function in the Socket.IO Ydoc event handlers `ydoc:awareness:update` and `ydoc:document:leave` when handling WebSocket events for collaborative document sessions. A remote user can send crafted Socket.IO events with spoofed user identifiers to manipulate collaborative document session state.

This can be used to spoof user presence and cursor awareness data in document rooms, and to broadcast false user-left events.


Remediation

Install security update from vendor's website.

Sources