PT-2026-56832 · Openwebui · Open-Webui

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-59715

CVSS v3.1

3.1

Low

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59715

Affected Products

Open-Webui