Unauthorized Document Manipulation in Open WebUI by Open WebUI
CVE-2026-59715
3.1LOW
What is CVE-2026-59715?
Open WebUI versions 0.6.16 through 0.9.9 have a significant vulnerability in their Socket.IO server configuration, which is set to always connect. This misconfiguration allows unauthenticated users to engage in collaborative-document events, enabling them to manipulate the state of document collaborations without authorization. This poses substantial security risks, necessitating an upgrade to version 0.10.0 or later to ensure integrity and security in document management.
Affected Version(s)
open-webui >= 0.6.16, < 0.10.0
