Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attacker must hold a validly-issued (revoked) token, so PR:L; network websocket reachability gives AV:N/AC:L; high confidentiality of realtime data, low integrity, no availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0 with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket first-message authentication used decode_token without the Redis-backed is_valid_token revocation check, allowing revoked JWTs to continue authenticating realtime connections. This issue is fixed in version 0.10.0.
AnalysisAI
Session revocation bypass in Open WebUI 0.9.0 through 0.9.x (deployments configured with Redis) lets a holder of a revoked JWT keep authenticating realtime Socket.IO connections. The flaw stems from first-message authentication for Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket calling decode_token without the Redis-backed is_valid_token revocation check, so logout, forced-logout, or token invalidation does not sever active realtime access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the Open WebUI deployment is configured with Redis (the revocation store that the vulnerable path fails to consult); (2) the attacker possesses a JWT that was validly issued to a real account and has since been revoked (via logout, forced-logout, or account disablement) but has not yet reached its natural expiry; and (3) network reachability to the Socket.IO connect/user-join/join-channels/join-note or terminal websocket endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N, C:H/I:L/A:N, score 7.1) indicates a network-reachable, low-complexity issue requiring low privileges - consistent with the need to possess a previously-issued (now revoked) JWT rather than to be fully unauthenticated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An employee is offboarded and their Open WebUI session token is revoked, or a user logs out after suspecting compromise. Because the terminal/Socket.IO first-message check only decodes the JWT and skips the Redis revocation lookup, the attacker (holding the still-unexpired-but-revoked token) reconnects over the websocket and regains realtime access to channels, notes, and the terminal until the token naturally expires. … |
| Remediation | Vendor-released patch: 0.10.0 - upgrade Open WebUI to version 0.10.0 or later, which restores the Redis-backed is_valid_token revocation check on the Socket.IO first-message authentication path (fix commit 33b91bd8ae8a100a5a306c91441a7d0b422c4cde, advisory GHSA-855v-hq7w-jmjw, release https://github.com/open-webui/open-webui/releases/tag/v0.10.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog all Open WebUI instances running versions 0.9.0-0.9.x configured with Redis. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42625