CVE-2026-44564

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description The ydoc:document:update Socket.IO event handler fails to verify if a sender has write permissions, checking only if the sender is a member of the document's Socket.IO room. Users with read-only access can join this room via ydoc:document:join, which only requires read permission. Consequently, a user with read-only access can emit ydoc:document:update events to modify the in-memory Yjs document state, which is then broadcast to all collaborators in real time. While the document save handler() function correctly verifies write permissions before saving to the database, the tampered content remains visible to all collaborators and can be permanently persisted if a user with write access saves the document.

Recommendations Update to version 0.9.0.