PT-2026-56882 · Openwebui · Open-Webui

Publicado

2026-07-09

·

Atualizado

2026-07-09

·

CVE-2026-59216

CVSS v3.1

7.7

Alta

VetorAV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get event call delivered execute:python and execute:tool Socket.IO events to a client-supplied session id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0.

Correção

Missing Authorization

IDOR

Code Injection

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-59216

Produtos afetados

Open-Webui