Remote Code Execution Risk in Open WebUI by Open WebUI
CVE-2026-59216
7.7HIGH
What is CVE-2026-59216?
Open WebUI, an extensible and user-friendly self-hosted AI platform, is vulnerable to a remote code execution issue that affects versions prior to 0.10.0. This vulnerability allows authenticated users to exploit Socket.IO events, specifically through 'get_event_call', where an attacker can execute arbitrary Python code in the context of another user's session. This exposure arises from insufficient validation of the session_id provided by users who join the document via Socket.IO. The flaw has been addressed in version 0.10.0, which mitigates the associated risks. Users of the platform are advised to upgrade to this version promptly.
Affected Version(s)
open-webui < 0.10.0
