CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-3VR9-5M37-3MV9
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 18:31HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions.
{
"affected": [],
"aliases": [
"CVE-2025-62329"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T16:15:59Z",
"severity": "MODERATE"
},
"details": "HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions.",
"id": "GHSA-3vr9-5m37-3mv9",
"modified": "2025-12-16T18:31:32Z",
"published": "2025-12-16T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62329"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0127332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3W38-X6JP-8474
Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-36377"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-17T21:22:14Z",
"severity": "MODERATE"
},
"details": "IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-3w38-x6jp-8474",
"modified": "2026-02-17T21:31:14Z",
"published": "2026-02-17T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36377"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7260390"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3WMF-6XRP-7QCH
Vulnerability from github – Published: 2024-02-14 18:30 – Updated: 2024-02-14 18:30Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2024-0008"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-14T18:15:47Z",
"severity": "MODERATE"
},
"details": "Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.",
"id": "GHSA-3wmf-6xrp-7qch",
"modified": "2024-02-14T18:30:26Z",
"published": "2024-02-14T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0008"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2024-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3WXW-5W97-2CVF
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22OpenVPN Access Server older than version 2.8.4 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.
{
"affected": [],
"aliases": [
"CVE-2020-15074"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-14T18:15:00Z",
"severity": "MODERATE"
},
"details": "OpenVPN Access Server older than version 2.8.4 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.",
"id": "GHSA-3wxw-5w97-2cvf",
"modified": "2022-05-24T17:22:51Z",
"published": "2022-05-24T17:22:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15074"
},
{
"type": "WEB",
"url": "https://openvpn.net/vpn-server-resources/release-notes"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3XMV-HRQ3-4VC5
Vulnerability from github – Published: 2024-08-21 06:32 – Updated: 2024-08-21 06:32In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
{
"affected": [],
"aliases": [
"CVE-2024-7998"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T06:15:13Z",
"severity": "LOW"
},
"details": "In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.",
"id": "GHSA-3xmv-hrq3-4vc5",
"modified": "2024-08-21T06:32:19Z",
"published": "2024-08-21T06:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7998"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2024/sa2024-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-424J-RR9Q-XRP9
Vulnerability from github – Published: 2023-11-01 00:30 – Updated: 2023-11-09 21:30Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 allows attackers to arbitrarily change transmitter configuration and data after logging out.
{
"affected": [],
"aliases": [
"CVE-2023-39695"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-31T23:15:08Z",
"severity": "MODERATE"
},
"details": "Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 allows attackers to arbitrarily change transmitter configuration and data after logging out.",
"id": "GHSA-424j-rr9q-xrp9",
"modified": "2023-11-09T21:30:34Z",
"published": "2023-11-01T00:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39695"
},
{
"type": "WEB",
"url": "https://github.com/strik3r0x1/Vulns/blob/35fe4fb3d5945b5df2a87aab0cf9ec6137bcf976/Insufficient%20Session%20Expiration%20-%20Elenos.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-436J-4GRC-7CJP
Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-04-21 15:32An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.
{
"affected": [],
"aliases": [
"CVE-2026-0971"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T15:16:35Z",
"severity": "MODERATE"
},
"details": "An improper session timeout issue in Fortra\u0027s GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.",
"id": "GHSA-436j-4grc-7cjp",
"modified": "2026-04-21T15:32:22Z",
"published": "2026-04-21T15:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0971"
},
{
"type": "WEB",
"url": "https://fortra.com/security/advisories/product-security/fi-2025-013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-438X-2P9V-G8H9
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2023-03-01 18:56Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit 77e31bc6cdde7c951fba104aebcd5ebb3f02b030 which is included in the 2.6.0.1 release.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "camaleon_cms"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.7"
},
{
"fixed": "2.6.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25970"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-24T15:59:43Z",
"nvd_published_at": "2021-10-20T12:15:00Z",
"severity": "HIGH"
},
"details": "Camaleon CMS 0.1.7 through 2.6.0 doesn\u2019t terminate the active session of the users, even after the admin changes the user\u2019s password. A user that was already logged in, will still have access to the application even after the password was changed. Resolved in commit `77e31bc6cdde7c951fba104aebcd5ebb3f02b030` which is included in the `2.6.0.1` release.",
"id": "GHSA-438x-2p9v-g8h9",
"modified": "2023-03-01T18:56:46Z",
"published": "2022-05-24T22:28:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25970"
},
{
"type": "WEB",
"url": "https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030"
},
{
"type": "PACKAGE",
"url": "https://github.com/owen2345/camaleon-cms"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25970.yml"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Camaleon CMS Insufficient Session Expiration vulnerability"
}
GHSA-45HP-H3FX-8MR2
Vulnerability from github – Published: 2026-07-16 00:31 – Updated: 2026-07-16 00:31PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP credentials, proxy configuration, user-agent settings, geolocation information, and captured request data.
In a multi-user or concurrent deployment, information supplied during one capture could therefore persist and be reused by a subsequent or parallel capture. This could result in the disclosure of authentication cookies, credentials, browser storage, or captured request data belonging to another user. It could also cause requests to be performed with another capture's authentication context, headers, or proxy configuration, potentially enabling unauthorized access to remote resources or interference with other capture operations.
The vulnerability is resolved by initializing all capture-specific settings and request data as instance variables in the Capture constructor, ensuring that state is isolated between capture operations.
{
"affected": [],
"aliases": [
"CVE-2026-63175"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T22:17:38Z",
"severity": "HIGH"
},
"details": "PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP credentials, proxy configuration, user-agent settings, geolocation information, and captured request data.\n\nIn a multi-user or concurrent deployment, information supplied during one capture could therefore persist and be reused by a subsequent or parallel capture. This could result in the disclosure of authentication cookies, credentials, browser storage, or captured request data belonging to another user. It could also cause requests to be performed with another capture\u0027s authentication context, headers, or proxy configuration, potentially enabling unauthorized access to remote resources or interference with other capture operations.\n\nThe vulnerability is resolved by initializing all capture-specific settings and request data as instance variables in the Capture constructor, ensuring that state is isolated between capture operations.",
"id": "GHSA-45hp-h3fx-8mr2",
"modified": "2026-07-16T00:31:34Z",
"published": "2026-07-16T00:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-63175"
},
{
"type": "WEB",
"url": "https://github.com/Lookyloo/PlaywrightCapture/commit/1e354b9d8566f49dbb331410be24c7c295645d43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-45M8-CPM2-3V65
Vulnerability from github – Published: 2026-05-08 19:43 – Updated: 2026-05-15 23:52Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
Affected Component
Socket.IO session state and role-check callsites:
- backend/open_webui/socket/main.py (lines 330-351, connect handler — role snapshotted into SESSION_POOL)
- backend/open_webui/socket/main.py (lines 393-398, heartbeat handler — does not refresh role)
- backend/open_webui/socket/main.py (line 538, ydoc:document:join — uses cached role for admin check)
- backend/open_webui/socket/main.py (line 611, document_save_handler — uses cached role for admin check)
- backend/open_webui/routers/users.py (lines 557-633, role update — does not invalidate SESSION_POOL)
- backend/open_webui/routers/users.py (line 641, user delete — does not invalidate SESSION_POOL)
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions with the collaborative document (Yjs) Socket.IO handlers.
Description
When a user connects via Socket.IO, the connect handler authenticates them via JWT and stores their user record (including role) in the in-memory SESSION_POOL dictionary keyed by session ID. The heartbeat handler keeps the session alive indefinitely but only refreshes the last_seen_at timestamp — never the role.
Role checks in the Yjs collaborative document handlers (ydoc:document:join, document_save_handler) consult the cached SESSION_POOL role rather than the database. Meanwhile, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats).
HTTP endpoints are not affected — get_current_user at utils/auth.py refetches the user record from the database on every request. The gap is exclusive to the Socket.IO session cache.
# socket/main.py:330-351 — role snapshotted at connect time
async def connect(sid, environ, auth):
user = None
if auth and 'token' in auth:
data = decode_token(auth['token'])
if data is not None and 'id' in data:
user = Users.get_user_by_id(data['id'])
if user:
SESSION_POOL[sid] = {
'id': user.id,
'role': user.role, # ← snapshotted, never refreshed
...
}
# socket/main.py:393-398 — heartbeat refreshes last_seen_at only
async def heartbeat(sid, data):
user = SESSION_POOL.get(sid)
if user:
SESSION_POOL[sid] = {**user, 'last_seen_at': int(time.time())}
# role is carried forward unchanged
# socket/main.py:538 — admin check against cached role
if user.get('role') != 'admin' and not has_access(user_id, 'note', note_id, 'read', db=db):
return
Attack Scenario
- User B is an admin and has an active browser session with a live Socket.IO connection.
SESSION_POOL[sid]recordsrole='admin'. - Admin A demotes User B to a regular user via
POST /api/v1/users/{B_id}/update. The DBuser.rolebecomes'user'. - No Socket.IO disconnect, no SESSION_POOL update, no token revocation event is triggered by the role change.
- User B's client continues sending
heartbeatevents every few seconds; these are accepted and only refreshlast_seen_at. - User B emits
ydoc:document:joinwithdocument_id = 'note:<victim_note_id>'for any note they do not own. - The handler at line 538 evaluates
user.get('role') != 'admin'— returnsFalsebecauseSESSION_POOLstill holds the staleadminrole. Access check is bypassed, User B joins the document room, receives full document state and live updates. - User B emits
ydoc:document:updatefor the same note. The handler at line 611 performs the same cached-admin check, bypasses authorization, and persists attacker-controlled content to the victim's note viaNotes.update_note_by_id.
The same bypass occurs if the user is deleted entirely (delete_user_by_id) — the deleted user retains admin privileges on their live socket until disconnection.
Impact
- Read access to any user's notes after admin privileges have been revoked
- Write access (content injection, overwrite) to any user's notes under the same conditions
- The stale privilege is bounded only by the attacker's willingness to keep the Socket.IO connection alive; heartbeats extend the session indefinitely
- Official admin demotion or user deletion gives a false sense of security — HTTP access is correctly revoked, but real-time collaborative access silently continues
Preconditions
- Attacker must have an active Socket.IO connection established while they held admin role
- Attacker must retain the Socket.IO session after demotion/deletion (trivial — just don't close the browser)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.12"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44553"
],
"database_specific": {
"cwe_ids": [
"CWE-384",
"CWE-613",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T19:43:49Z",
"nvd_published_at": "2026-05-15T20:16:46Z",
"severity": "HIGH"
},
"details": "# Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access\n\n## Affected Component\n\nSocket.IO session state and role-check callsites:\n- `backend/open_webui/socket/main.py` (lines 330-351, `connect` handler \u2014 role snapshotted into SESSION_POOL)\n- `backend/open_webui/socket/main.py` (lines 393-398, `heartbeat` handler \u2014 does not refresh role)\n- `backend/open_webui/socket/main.py` (line 538, `ydoc:document:join` \u2014 uses cached role for admin check)\n- `backend/open_webui/socket/main.py` (line 611, `document_save_handler` \u2014 uses cached role for admin check)\n- `backend/open_webui/routers/users.py` (lines 557-633, role update \u2014 does not invalidate SESSION_POOL)\n- `backend/open_webui/routers/users.py` (line 641, user delete \u2014 does not invalidate SESSION_POOL)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions with the collaborative document (Yjs) Socket.IO handlers.\n\n## Description\n\nWhen a user connects via Socket.IO, the `connect` handler authenticates them via JWT and stores their user record (including `role`) in the in-memory `SESSION_POOL` dictionary keyed by session ID. The `heartbeat` handler keeps the session alive indefinitely but only refreshes the `last_seen_at` timestamp \u2014 never the role.\n\nRole checks in the Yjs collaborative document handlers (`ydoc:document:join`, `document_save_handler`) consult the cached `SESSION_POOL` role rather than the database. Meanwhile, administrative role changes and user deletions do not iterate `SESSION_POOL` to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats).\n\nHTTP endpoints are not affected \u2014 `get_current_user` at [utils/auth.py](backend/open_webui/utils/auth.py) refetches the user record from the database on every request. The gap is exclusive to the Socket.IO session cache.\n\n```python\n# socket/main.py:330-351 \u2014 role snapshotted at connect time\nasync def connect(sid, environ, auth):\n user = None\n if auth and \u0027token\u0027 in auth:\n data = decode_token(auth[\u0027token\u0027])\n if data is not None and \u0027id\u0027 in data:\n user = Users.get_user_by_id(data[\u0027id\u0027])\n if user:\n SESSION_POOL[sid] = {\n \u0027id\u0027: user.id,\n \u0027role\u0027: user.role, # \u2190 snapshotted, never refreshed\n ...\n }\n\n# socket/main.py:393-398 \u2014 heartbeat refreshes last_seen_at only\nasync def heartbeat(sid, data):\n user = SESSION_POOL.get(sid)\n if user:\n SESSION_POOL[sid] = {**user, \u0027last_seen_at\u0027: int(time.time())}\n # role is carried forward unchanged\n\n# socket/main.py:538 \u2014 admin check against cached role\nif user.get(\u0027role\u0027) != \u0027admin\u0027 and not has_access(user_id, \u0027note\u0027, note_id, \u0027read\u0027, db=db):\n return\n```\n\n## Attack Scenario\n\n1. User B is an admin and has an active browser session with a live Socket.IO connection. `SESSION_POOL[sid]` records `role=\u0027admin\u0027`.\n2. Admin A demotes User B to a regular user via `POST /api/v1/users/{B_id}/update`. The DB `user.role` becomes `\u0027user\u0027`.\n3. No Socket.IO disconnect, no SESSION_POOL update, no token revocation event is triggered by the role change.\n4. User B\u0027s client continues sending `heartbeat` events every few seconds; these are accepted and only refresh `last_seen_at`.\n5. User B emits `ydoc:document:join` with `document_id = \u0027note:\u003cvictim_note_id\u003e\u0027` for any note they do not own.\n6. The handler at line 538 evaluates `user.get(\u0027role\u0027) != \u0027admin\u0027` \u2014 returns `False` because `SESSION_POOL` still holds the stale `admin` role. Access check is bypassed, User B joins the document room, receives full document state and live updates.\n7. User B emits `ydoc:document:update` for the same note. The handler at line 611 performs the same cached-admin check, bypasses authorization, and persists attacker-controlled content to the victim\u0027s note via `Notes.update_note_by_id`.\n\nThe same bypass occurs if the user is deleted entirely (`delete_user_by_id`) \u2014 the deleted user retains admin privileges on their live socket until disconnection.\n\n## Impact\n\n- Read access to any user\u0027s notes after admin privileges have been revoked\n- Write access (content injection, overwrite) to any user\u0027s notes under the same conditions\n- The stale privilege is bounded only by the attacker\u0027s willingness to keep the Socket.IO connection alive; heartbeats extend the session indefinitely\n- Official admin demotion or user deletion gives a false sense of security \u2014 HTTP access is correctly revoked, but real-time collaborative access silently continues\n\n## Preconditions\n\n- Attacker must have an active Socket.IO connection established while they held admin role\n- Attacker must retain the Socket.IO session after demotion/deletion (trivial \u2014 just don\u0027t close the browser)",
"id": "GHSA-45m8-cpm2-3v65",
"modified": "2026-05-15T23:52:21Z",
"published": "2026-05-08T19:43:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44553"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.