CVE-2026-44564

CVE-2026-44564 is a medium-severity incorrect authorization vulnerability in open-webui (pip), affecting versions <= 0.8.12. It is fixed in 0.9.0.

Summary

Read-Only Users Can Modify Collaborative Documents via Socket.IO

Affected Component

Socket.IO collaborative document editing handler:

  • backend/open_webui/socket/main.py (lines 667-721, ydoc:document:update handler)

Affected Versions

Current main branch and likely all versions with collaborative note editing.

Description

The ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (line 678) but does not verify that the sender has write permission. Users with read-only access join the document room via ydoc:document:join, which only requires read permission (line 520). Once in the room, the user can emit ydoc:document:update events that modify the in-memory Yjs document state and are broadcast to all other collaborators in real time.

The document_save_handler (line 600) correctly checks write permission before persisting to the database, so the attacker cannot directly save changes. However, the tampered content is visible to all collaborators, and if any user with write access saves the document, the injected content is persisted.

# ydoc:document:update handler (line 667), only checks room membership, not write permission
async def on_document_update(sid, data):
    document_id = normalize_document_id(data.get('document_id', ''))
    # ...
    room = f'doc_{document_id}'
    if room not in sio.rooms(sid):  # Room membership check only
        return
    # Applies update to Yjs state and broadcasts to all users
    YDOC_MANAGER.apply_update(document_id, update)
    await sio.emit('ydoc:document:update', {...}, room=room, skip_sid=sid)

Compare with ydoc:document:join (line 520) which checks permission:

# Only checks READ permission, so read-only users join the room
if not has_access(user_id, type, id, 'read', db=db):
    return

CVSS 3.1 Breakdown

Metric Value Rationale
Attack Vector Network (N) Exploited remotely via Socket.IO events
Attack Complexity Low (L) No special conditions; attacker emits a standard Socket.IO event
Privileges Required Low (L) Requires a valid user account with read access to the shared note
User Interaction None (N) Modifications appear in real time without victim action; however, persistence requires a write-access user to save
Scope Unchanged (U) Impact is within the collaborative document context
Confidentiality None (N) No data disclosure beyond what read access already provides
Integrity Low (L) In-memory document state is modified and broadcast; persistence is indirect (requires another user to save)
Availability Low (L) Collaborative editing session can be disrupted with invalid content

Attack Scenario

  1. User A creates a note and shares it with User B with read permission.
  2. User B opens the note, which triggers ydoc:document:join, the server checks read permission and adds User B to the document room.
  3. User B emits ydoc:document:update with a crafted Yjs update payload via the Socket.IO connection (bypassing any frontend read-only enforcement).
  4. The server applies the update to the Yjs document state and broadcasts it to all collaborators.
  5. User A sees the injected content appear in their editor in real time.
  6. If User A saves the document (intentionally or via autosave), the tampered content is persisted to the database, User A's save passes the write permission check since User A is the owner.

Preconditions

  • Attacker must have a valid user account with read access to a shared note
  • The note must be open for collaborative editing (at least one other user viewing it, or the attacker can wait for a write-access user to open and save)

Consolidation

This advisory covers read-only users modifying collaborative notes over Socket.IO. Two handlers were affected, both fixed in v0.9.0:

  • ydoc:document:update, checked only room membership, not write permission, so a read-only collaborator could inject in-memory document updates broadcast to other collaborators (persistence indirect). @Classic298.
  • document_save_handler, checked permission='read' while persisting via Notes.update_note_by_id, so a read-only collaborator could persist note changes directly. Reported by @hacnho

One CVE for the consolidated advisory.

Impact

  • Read-only users can inject, modify, or delete content in collaborative documents
  • Modifications are broadcast in real time to all collaborators, causing confusion or disruption
  • If a write-access user saves (including autosave), the tampered content is permanently persisted
  • Undermines the read/write permission model for collaborative editing

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

CVE-2026-44564 has a CVSS score of 5.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.0); upgrading removes the vulnerable code path.

Affected versions

open-webui (<= 0.8.12)

Security releases

open-webui → 0.9.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade open-webui to 0.9.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-44564? CVE-2026-44564 is a medium-severity incorrect authorization vulnerability in open-webui (pip), affecting versions <= 0.8.12. It is fixed in 0.9.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. How severe is CVE-2026-44564? CVE-2026-44564 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of open-webui are affected by CVE-2026-44564? open-webui (pip) versions <= 0.8.12 is affected.
  4. Is there a fix for CVE-2026-44564? Yes. CVE-2026-44564 is fixed in 0.9.0. Upgrade to this version or later.
  5. Is CVE-2026-44564 exploitable, and should I be worried? Whether CVE-2026-44564 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44564 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44564? Upgrade open-webui to 0.9.0 or later.

Other vulnerabilities in open-webui

CVE-2026-54022CVE-2026-54021CVE-2026-54019CVE-2026-54018CVE-2026-54017

Stop the waste.
Protect your environment with Kodem.