GHSA-VRFH-RJ4Q-RMHR

Vulnerability from github – Published: 2026-05-08 20:00 – Updated: 2026-05-15 23:53
VLAI
Summary
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO
Details

Read-Only Users Can Modify Collaborative Documents via Socket.IO

Affected Component

Socket.IO collaborative document editing handler: - backend/open_webui/socket/main.py (lines 667-721, ydoc:document:update handler)

Affected Versions

Current main branch and likely all versions with collaborative note editing.

Description

The ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (line 678) but does not verify that the sender has write permission. Users with read-only access join the document room via ydoc:document:join, which only requires read permission (line 520). Once in the room, the user can emit ydoc:document:update events that modify the in-memory Yjs document state and are broadcast to all other collaborators in real time.

The document_save_handler (line 600) correctly checks write permission before persisting to the database, so the attacker cannot directly save changes. However, the tampered content is visible to all collaborators, and if any user with write access saves the document, the injected content is persisted.

# ydoc:document:update handler (line 667) — only checks room membership, not write permission
async def on_document_update(sid, data):
    document_id = normalize_document_id(data.get('document_id', ''))
    # ...
    room = f'doc_{document_id}'
    if room not in sio.rooms(sid):  # Room membership check only
        return
    # Applies update to Yjs state and broadcasts to all users
    YDOC_MANAGER.apply_update(document_id, update)
    await sio.emit('ydoc:document:update', {...}, room=room, skip_sid=sid)

Compare with ydoc:document:join (line 520) which checks permission:

# Only checks READ permission — so read-only users join the room
if not has_access(user_id, type, id, 'read', db=db):
    return

CVSS 3.1 Breakdown

Metric Value Rationale
Attack Vector Network (N) Exploited remotely via Socket.IO events
Attack Complexity Low (L) No special conditions; attacker emits a standard Socket.IO event
Privileges Required Low (L) Requires a valid user account with read access to the shared note
User Interaction None (N) Modifications appear in real time without victim action; however, persistence requires a write-access user to save
Scope Unchanged (U) Impact is within the collaborative document context
Confidentiality None (N) No data disclosure beyond what read access already provides
Integrity Low (L) In-memory document state is modified and broadcast; persistence is indirect (requires another user to save)
Availability Low (L) Collaborative editing session can be disrupted with invalid content

Attack Scenario

  1. User A creates a note and shares it with User B with read permission.
  2. User B opens the note, which triggers ydoc:document:join — the server checks read permission and adds User B to the document room.
  3. User B emits ydoc:document:update with a crafted Yjs update payload via the Socket.IO connection (bypassing any frontend read-only enforcement).
  4. The server applies the update to the Yjs document state and broadcasts it to all collaborators.
  5. User A sees the injected content appear in their editor in real time.
  6. If User A saves the document (intentionally or via autosave), the tampered content is persisted to the database — User A's save passes the write permission check since User A is the owner.

Impact

  • Read-only users can inject, modify, or delete content in collaborative documents
  • Modifications are broadcast in real time to all collaborators, causing confusion or disruption
  • If a write-access user saves (including autosave), the tampered content is permanently persisted
  • Undermines the read/write permission model for collaborative editing

Preconditions

  • Attacker must have a valid user account with read access to a shared note
  • The note must be open for collaborative editing (at least one other user viewing it, or the attacker can wait for a write-access user to open and save)
Severity
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T20:00:57Z",
    "nvd_published_at": "2026-05-15T20:16:48Z",
    "severity": "MODERATE"
  },
  "details": "# Read-Only Users Can Modify Collaborative Documents via Socket.IO\n\n## Affected Component\n\nSocket.IO collaborative document editing handler:\n- `backend/open_webui/socket/main.py` (lines 667-721, `ydoc:document:update` handler)\n\n## Affected Versions\n\nCurrent main branch and likely all versions with collaborative note editing.\n\n## Description\n\nThe `ydoc:document:update` Socket.IO event handler checks whether the sender is a member of the document\u0027s Socket.IO room (line 678) but does not verify that the sender has **write** permission. Users with read-only access join the document room via `ydoc:document:join`, which only requires `read` permission (line 520). Once in the room, the user can emit `ydoc:document:update` events that modify the in-memory Yjs document state and are broadcast to all other collaborators in real time.\n\nThe `document_save_handler` (line 600) correctly checks `write` permission before persisting to the database, so the attacker cannot directly save changes. However, the tampered content is visible to all collaborators, and if any user with write access saves the document, the injected content is persisted.\n\n```python\n# ydoc:document:update handler (line 667) \u2014 only checks room membership, not write permission\nasync def on_document_update(sid, data):\n    document_id = normalize_document_id(data.get(\u0027document_id\u0027, \u0027\u0027))\n    # ...\n    room = f\u0027doc_{document_id}\u0027\n    if room not in sio.rooms(sid):  # Room membership check only\n        return\n    # Applies update to Yjs state and broadcasts to all users\n    YDOC_MANAGER.apply_update(document_id, update)\n    await sio.emit(\u0027ydoc:document:update\u0027, {...}, room=room, skip_sid=sid)\n```\n\nCompare with `ydoc:document:join` (line 520) which checks permission:\n\n```python\n# Only checks READ permission \u2014 so read-only users join the room\nif not has_access(user_id, type, id, \u0027read\u0027, db=db):\n    return\n```\n\n## CVSS 3.1 Breakdown\n\n| Metric | Value | Rationale |\n|--------|-------|-----------|\n| Attack Vector | Network (N) | Exploited remotely via Socket.IO events |\n| Attack Complexity | Low (L) | No special conditions; attacker emits a standard Socket.IO event |\n| Privileges Required | Low (L) | Requires a valid user account with read access to the shared note |\n| User Interaction | None (N) | Modifications appear in real time without victim action; however, persistence requires a write-access user to save |\n| Scope | Unchanged (U) | Impact is within the collaborative document context |\n| Confidentiality | None (N) | No data disclosure beyond what read access already provides |\n| Integrity | Low (L) | In-memory document state is modified and broadcast; persistence is indirect (requires another user to save) |\n| Availability | Low (L) | Collaborative editing session can be disrupted with invalid content |\n\n## Attack Scenario\n\n1. User A creates a note and shares it with User B with **read** permission.\n2. User B opens the note, which triggers `ydoc:document:join` \u2014 the server checks read permission and adds User B to the document room.\n3. User B emits `ydoc:document:update` with a crafted Yjs update payload via the Socket.IO connection (bypassing any frontend read-only enforcement).\n4. The server applies the update to the Yjs document state and broadcasts it to all collaborators.\n5. User A sees the injected content appear in their editor in real time.\n6. If User A saves the document (intentionally or via autosave), the tampered content is persisted to the database \u2014 User A\u0027s save passes the write permission check since User A is the owner.\n\n## Impact\n\n- Read-only users can inject, modify, or delete content in collaborative documents\n- Modifications are broadcast in real time to all collaborators, causing confusion or disruption\n- If a write-access user saves (including autosave), the tampered content is permanently persisted\n- Undermines the read/write permission model for collaborative editing\n\n## Preconditions\n\n- Attacker must have a valid user account with read access to a shared note\n- The note must be open for collaborative editing (at least one other user viewing it, or the attacker can wait for a write-access user to open and save)",
  "id": "GHSA-vrfh-rj4q-rmhr",
  "modified": "2026-05-15T23:53:19Z",
  "published": "2026-05-08T20:00:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vrfh-rj4q-rmhr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44564"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.