CVE-2026-44553 (GCVE-0-2026-44553)

Vulnerability from cvelistv5 – Published: 2026-05-15 19:54 – Updated: 2026-05-19 13:05

Title

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-613 - Insufficient Session Expiration

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.9.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T03:55:42.373483Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T13:05:50.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T19:54:09.869Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65"
        }
      ],
      "source": {
        "advisory": "GHSA-45m8-cpm2-3v65",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44553",
    "datePublished": "2026-05-15T19:54:09.869Z",
    "dateReserved": "2026-05-06T20:59:00.594Z",
    "dateUpdated": "2026-05-19T13:05:50.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44553",
      "date": "2026-05-27",
      "epss": "0.00033",
      "percentile": "0.10048"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44553\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T20:16:46.707\",\"lastModified\":\"2026-05-19T14:16:44.363\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.0\",\"matchCriteriaId\":\"0FB90EC3-1665-446E-AA35-4AEC207A2F3B\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44553\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-19T03:55:42.373483Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-15T20:21:12.075Z\"}}], \"cna\": {\"title\": \"Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access\", \"source\": {\"advisory\": \"GHSA-45m8-cpm2-3v65\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613: Insufficient Session Expiration\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T19:54:09.869Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44553\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-19T13:05:50.998Z\", \"dateReserved\": \"2026-05-06T20:59:00.594Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T19:54:09.869Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44553

Vulnerability from fkie_nvd - Published: 2026-05-15 20:16 - Updated: 2026-05-19 14:16

Severity

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openwebui	open_webui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0FB90EC3-1665-446E-AA35-4AEC207A2F3B",
              "versionEndExcluding": "0.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0."
    }
  ],
  "id": "CVE-2026-44553",
  "lastModified": "2026-05-19T14:16:44.363",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T20:16:46.707",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-45M8-CPM2-3V65

Vulnerability from github – Published: 2026-05-08 19:43 – Updated: 2026-05-15 23:52

Summary

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Details

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Affected Component

Socket.IO session state and role-check callsites: - backend/open_webui/socket/main.py (lines 330-351, connect handler — role snapshotted into SESSION_POOL) - backend/open_webui/socket/main.py (lines 393-398, heartbeat handler — does not refresh role) - backend/open_webui/socket/main.py (line 538, ydoc:document:join — uses cached role for admin check) - backend/open_webui/socket/main.py (line 611, document_save_handler — uses cached role for admin check) - backend/open_webui/routers/users.py (lines 557-633, role update — does not invalidate SESSION_POOL) - backend/open_webui/routers/users.py (line 641, user delete — does not invalidate SESSION_POOL)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions with the collaborative document (Yjs) Socket.IO handlers.

Description

When a user connects via Socket.IO, the connect handler authenticates them via JWT and stores their user record (including role) in the in-memory SESSION_POOL dictionary keyed by session ID. The heartbeat handler keeps the session alive indefinitely but only refreshes the last_seen_at timestamp — never the role.

Role checks in the Yjs collaborative document handlers (ydoc:document:join, document_save_handler) consult the cached SESSION_POOL role rather than the database. Meanwhile, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats).

HTTP endpoints are not affected — get_current_user at utils/auth.py refetches the user record from the database on every request. The gap is exclusive to the Socket.IO session cache.

# socket/main.py:330-351 — role snapshotted at connect time
async def connect(sid, environ, auth):
    user = None
    if auth and 'token' in auth:
        data = decode_token(auth['token'])
        if data is not None and 'id' in data:
            user = Users.get_user_by_id(data['id'])
        if user:
            SESSION_POOL[sid] = {
                'id': user.id,
                'role': user.role,   # ← snapshotted, never refreshed
                ...
            }

# socket/main.py:393-398 — heartbeat refreshes last_seen_at only
async def heartbeat(sid, data):
    user = SESSION_POOL.get(sid)
    if user:
        SESSION_POOL[sid] = {**user, 'last_seen_at': int(time.time())}
        # role is carried forward unchanged

# socket/main.py:538 — admin check against cached role
if user.get('role') != 'admin' and not has_access(user_id, 'note', note_id, 'read', db=db):
    return

Attack Scenario

User B is an admin and has an active browser session with a live Socket.IO connection. SESSION_POOL[sid] records role='admin'.
Admin A demotes User B to a regular user via POST /api/v1/users/{B_id}/update. The DB user.role becomes 'user'.
No Socket.IO disconnect, no SESSION_POOL update, no token revocation event is triggered by the role change.
User B's client continues sending heartbeat events every few seconds; these are accepted and only refresh last_seen_at.
User B emits ydoc:document:join with document_id = 'note:<victim_note_id>' for any note they do not own.
The handler at line 538 evaluates user.get('role') != 'admin' — returns False because SESSION_POOL still holds the stale admin role. Access check is bypassed, User B joins the document room, receives full document state and live updates.
User B emits ydoc:document:update for the same note. The handler at line 611 performs the same cached-admin check, bypasses authorization, and persists attacker-controlled content to the victim's note via Notes.update_note_by_id.

The same bypass occurs if the user is deleted entirely (delete_user_by_id) — the deleted user retains admin privileges on their live socket until disconnection.

Impact

Read access to any user's notes after admin privileges have been revoked
Write access (content injection, overwrite) to any user's notes under the same conditions
The stale privilege is bounded only by the attacker's willingness to keep the Socket.IO connection alive; heartbeats extend the session indefinitely
Official admin demotion or user deletion gives a false sense of security — HTTP access is correctly revoked, but real-time collaborative access silently continues

Preconditions

Attacker must have an active Socket.IO connection established while they held admin role
Attacker must retain the Socket.IO session after demotion/deletion (trivial — just don't close the browser)

Severity

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384",
      "CWE-613",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:43:49Z",
    "nvd_published_at": "2026-05-15T20:16:46Z",
    "severity": "HIGH"
  },
  "details": "# Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access\n\n## Affected Component\n\nSocket.IO session state and role-check callsites:\n- `backend/open_webui/socket/main.py` (lines 330-351, `connect` handler \u2014 role snapshotted into SESSION_POOL)\n- `backend/open_webui/socket/main.py` (lines 393-398, `heartbeat` handler \u2014 does not refresh role)\n- `backend/open_webui/socket/main.py` (line 538, `ydoc:document:join` \u2014 uses cached role for admin check)\n- `backend/open_webui/socket/main.py` (line 611, `document_save_handler` \u2014 uses cached role for admin check)\n- `backend/open_webui/routers/users.py` (lines 557-633, role update \u2014 does not invalidate SESSION_POOL)\n- `backend/open_webui/routers/users.py` (line 641, user delete \u2014 does not invalidate SESSION_POOL)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions with the collaborative document (Yjs) Socket.IO handlers.\n\n## Description\n\nWhen a user connects via Socket.IO, the `connect` handler authenticates them via JWT and stores their user record (including `role`) in the in-memory `SESSION_POOL` dictionary keyed by session ID. The `heartbeat` handler keeps the session alive indefinitely but only refreshes the `last_seen_at` timestamp \u2014 never the role.\n\nRole checks in the Yjs collaborative document handlers (`ydoc:document:join`, `document_save_handler`) consult the cached `SESSION_POOL` role rather than the database. Meanwhile, administrative role changes and user deletions do not iterate `SESSION_POOL` to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats).\n\nHTTP endpoints are not affected \u2014 `get_current_user` at [utils/auth.py](backend/open_webui/utils/auth.py) refetches the user record from the database on every request. The gap is exclusive to the Socket.IO session cache.\n\n```python\n# socket/main.py:330-351 \u2014 role snapshotted at connect time\nasync def connect(sid, environ, auth):\n    user = None\n    if auth and \u0027token\u0027 in auth:\n        data = decode_token(auth[\u0027token\u0027])\n        if data is not None and \u0027id\u0027 in data:\n            user = Users.get_user_by_id(data[\u0027id\u0027])\n        if user:\n            SESSION_POOL[sid] = {\n                \u0027id\u0027: user.id,\n                \u0027role\u0027: user.role,   # \u2190 snapshotted, never refreshed\n                ...\n            }\n\n# socket/main.py:393-398 \u2014 heartbeat refreshes last_seen_at only\nasync def heartbeat(sid, data):\n    user = SESSION_POOL.get(sid)\n    if user:\n        SESSION_POOL[sid] = {**user, \u0027last_seen_at\u0027: int(time.time())}\n        # role is carried forward unchanged\n\n# socket/main.py:538 \u2014 admin check against cached role\nif user.get(\u0027role\u0027) != \u0027admin\u0027 and not has_access(user_id, \u0027note\u0027, note_id, \u0027read\u0027, db=db):\n    return\n```\n\n## Attack Scenario\n\n1. User B is an admin and has an active browser session with a live Socket.IO connection. `SESSION_POOL[sid]` records `role=\u0027admin\u0027`.\n2. Admin A demotes User B to a regular user via `POST /api/v1/users/{B_id}/update`. The DB `user.role` becomes `\u0027user\u0027`.\n3. No Socket.IO disconnect, no SESSION_POOL update, no token revocation event is triggered by the role change.\n4. User B\u0027s client continues sending `heartbeat` events every few seconds; these are accepted and only refresh `last_seen_at`.\n5. User B emits `ydoc:document:join` with `document_id = \u0027note:\u003cvictim_note_id\u003e\u0027` for any note they do not own.\n6. The handler at line 538 evaluates `user.get(\u0027role\u0027) != \u0027admin\u0027` \u2014 returns `False` because `SESSION_POOL` still holds the stale `admin` role. Access check is bypassed, User B joins the document room, receives full document state and live updates.\n7. User B emits `ydoc:document:update` for the same note. The handler at line 611 performs the same cached-admin check, bypasses authorization, and persists attacker-controlled content to the victim\u0027s note via `Notes.update_note_by_id`.\n\nThe same bypass occurs if the user is deleted entirely (`delete_user_by_id`) \u2014 the deleted user retains admin privileges on their live socket until disconnection.\n\n## Impact\n\n- Read access to any user\u0027s notes after admin privileges have been revoked\n- Write access (content injection, overwrite) to any user\u0027s notes under the same conditions\n- The stale privilege is bounded only by the attacker\u0027s willingness to keep the Socket.IO connection alive; heartbeats extend the session indefinitely\n- Official admin demotion or user deletion gives a false sense of security \u2014 HTTP access is correctly revoked, but real-time collaborative access silently continues\n\n## Preconditions\n\n- Attacker must have an active Socket.IO connection established while they held admin role\n- Attacker must retain the Socket.IO session after demotion/deletion (trivial \u2014 just don\u0027t close the browser)",
  "id": "GHSA-45m8-cpm2-3v65",
  "modified": "2026-05-15T23:52:21Z",
  "published": "2026-05-08T19:43:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44553"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44553 (GCVE-0-2026-44553)

FKIE_CVE-2026-44553

GHSA-45M8-CPM2-3V65

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Affected Component

Affected Versions

Description

Attack Scenario

Impact

Preconditions

Tags

Sightings

Nomenclature