Unauthorized Document Manipulation in Open WebUI by Open WebUI
CVE-2026-59715

3.1LOW

Key Information:

Vendor

Open-webui

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59715?

Open WebUI versions 0.6.16 through 0.9.9 have a significant vulnerability in their Socket.IO server configuration, which is set to always connect. This misconfiguration allows unauthenticated users to engage in collaborative-document events, enabling them to manipulate the state of document collaborations without authorization. This poses substantial security risks, necessitating an upgrade to version 0.10.0 or later to ensure integrity and security in document management.

Affected Version(s)

open-webui >= 0.6.16, < 0.10.0

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.