PatchSiren cyber security CVE debrief
CVE-2026-44564 open-webui CVE debrief
Open WebUI versions prior to 0.9.0 contain an authorization bypass vulnerability in the Socket.IO real-time collaboration subsystem. The ydoc:document:update event handler validates that a user is a member of a document's Socket.IO room but fails to verify write permissions. Users with read-only access can join document rooms via ydoc:document:join (which only requires read permission) and subsequently emit ydoc:document:update events that modify the in-memory Yjs document state. These unauthorized modifications are broadcast to all collaborators in real time, allowing read-only users to alter shared documents. The vulnerability stems from missing authorization checks between room membership validation and permission enforcement. This issue was fixed in version 0.9.0.
- Vendor
- open-webui
- Product
- Unknown
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-19
Who should care
Organizations running self-hosted Open WebUI instances with multi-user document collaboration features enabled, particularly those relying on read-only access controls for sensitive document sharing.
Technical summary
The vulnerability exists in the ydoc:document:update Socket.IO event handler (line 678) which checks room membership but not write permissions. The ydoc:document:join handler (line 520) allows read-only users to join document rooms. This architectural gap enables privilege escalation from read-only to write access for in-memory Yjs document state modifications.
Defensive priority
medium
Recommended defensive actions
- Upgrade Open WebUI to version 0.9.0 or later to remediate the authorization bypass vulnerability
- Review document collaboration permissions and audit access logs for unauthorized document modifications by read-only users
- Implement additional authorization controls at the application layer to verify write permissions before processing Yjs document updates
- Monitor Socket.IO event logs for anomalous ydoc:document:update emissions from users with read-only roles
Evidence notes
CVE published 2026-05-15; NVD analysis completed by 2026-05-19. Vendor advisory confirms exploitability and fix version. CVSS 5.4 (Medium) reflects network attack vector with low privileges required.
Official resources
-
CVE-2026-44564 CVE record
CVE.org
-
CVE-2026-44564 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
2026-05-15