CVE-2026-44553

Exploit

EPSS 0.28%
Veröffentlicht 15.05.2026 19:54:09
Zuletzt bearbeitet 19.05.2026 14:16:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openwebui ≫ Open Webui Version < 0.9.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.199

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-44553

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-44553

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-44553

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-44553