CVE-2026-44553: Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User N…

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected Component Socket.IO session state and role-check callsites: backend/open_webui/socket/main.py (lines 330-351, connect hand…

8.1CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-44553
Vendor	pip
Affected Product	open-webui
Vulnerability Type	Vulnerability
CVSS Score	8.1 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Affected Component Socket.IO session state and role-check callsites:

• backend/open_webui/socket/main.py (lines 330-351, connect handler — role snapshotted into SESSION_POOL)

• backend/open_webui/socket/main.py (lines 393-398, heartbeat handler — does not refresh role)

• backend/open_webui/socket/main.py (line 538, ydoc:document:join — uses cached role for admin check)

• backend/open_webui/socket/main.py (line 611, document_save_handler — uses cached role for admin check)

• backend/open_webui/routers/users.py (lines 557-633, role update — does not invalidate SESSION_POOL)

• backend/open_webui/routers/users.py (line 641, user delete — does not invalidate SESSION_POOL)

Affected

🎯 Known Indicators of Compromise

{"type":"domain","value":"socket.io","confidence_score":0.75,"first_seen":"2026-05-08","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44553 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →