Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Handlers explicitly require no authentication per the advisory (PR:N), but AC:H reflects that useful exploitation requires knowing active document session identifiers unavailable to a blind external attacker.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionNVD
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.16 before 0.10.0, the Socket.IO server is configured with always_connect=True. The ydoc:awareness:update and ydoc:document:leave Socket.IO handlers accepted collaborative-document events without requiring an authenticated user, allowing unauthorized manipulation of document collaboration state. This issue is fixed in version 0.10.0.
AnalysisAI
Unauthenticated manipulation of collaborative document state is possible in Open WebUI versions 0.6.16 through 0.9.x, where the Socket.IO server's always_connect=True configuration allows the ydoc:awareness:update and ydoc:document:leave event handlers to process requests from any connected client regardless of identity. An attacker with network access to the platform can inject false collaborative presence data or trigger spurious document-leave events, disrupting active collaboration sessions for legitimate users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Yjs/YDoc collaborative document feature must be active and in use on the target Open WebUI instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS base score of 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) reflects a low-severity finding, but the vector contains a notable inconsistency with the description: the advisory explicitly states the handlers accept events 'without requiring an authenticated user,' which implies PR:N rather than PR:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to an Open WebUI instance connects to the Socket.IO endpoint without credentials - permitted because always_connect=True bypasses the authentication gate - then emits crafted ydoc:awareness:update events referencing an active document session to inject false cursor or presence data, or sends ydoc:document:leave to silently remove legitimate collaborators from their sessions. No public proof-of-concept code is known to exist, but the vulnerable event names are identifiable from Open WebUI's public source repository, lowering the knowledge barrier for a targeted attacker. |
| Remediation | Upgrade Open WebUI to version 0.10.0 or later; the fix was introduced in commit 22f2fe1ffb66c993dad1e0b2b35514acaed2370e via pull request #25946 and the patched release is available at https://github.com/open-webui/open-webui/releases/tag/v0.10.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42623