Remote Code Execution Risk in Open WebUI by Open WebUI
CVE-2026-59216

7.7HIGH

Key Information:

Vendor

Open-webui

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59216?

Open WebUI, an extensible and user-friendly self-hosted AI platform, is vulnerable to a remote code execution issue that affects versions prior to 0.10.0. This vulnerability allows authenticated users to exploit Socket.IO events, specifically through 'get_event_call', where an attacker can execute arbitrary Python code in the context of another user's session. This exposure arises from insufficient validation of the session_id provided by users who join the document via Socket.IO. The flaw has been addressed in version 0.10.0, which mitigates the associated risks. Users of the platform are advised to upgrade to this version promptly.

Affected Version(s)

open-webui < 0.10.0

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.