PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59219 open-webui CVE debrief

Open WebUI, a self-hosted AI platform, had an authentication bypass issue. From version 0.9.0 to before 0.10.0, with Redis configured, the Socket.IO connection and certain websocket messages did not properly check for revoked JWTs, allowing continued authentication with revoked tokens. This issue was fixed in version 0.10.0. The affected product deployments should be reviewed, and owners should be assigned for follow-up.

Vendor
open-webui
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Open WebUI, especially those with Redis configured, should update to version 0.10.0 or later to address this authentication bypass vulnerability. Affected operator, platform, vulnerability-management, and security-team impact should be assessed.

Technical summary

In Open WebUI versions 0.9.0 to before 0.10.0, with Redis configured, the Socket.IO connection and certain websocket messages (user-join, join-channels, join-note, and terminal websocket first-message) used decode_token without the Redis-backed is_valid_token revocation check. This allowed revoked JWTs to continue authenticating realtime connections, effectively bypassing authentication. The issue was addressed in version 0.10.0. Affected product context and defensive impact should be assessed.

Defensive priority

High

Recommended defensive actions

  • Update Open WebUI to version 0.10.0 or later
  • Review and revoke any existing JWTs
  • Monitor for suspicious authentication attempts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-09T17:17:02.877Z and was last modified on 2026-07-10T18:17:21.790Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. Further verification is recommended to ensure accuracy.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T17:17:02.877Z and has not been modified since then. The NVD entry is currently Analyzed.