Open WebUI Vulnerability: Revoked Admins Retain Access
A critical vulnerability, CVE-2026-44553, has been identified in Open WebUI, a self-hosted AI platform. The National Vulnerability Database reports that prior to version 0.9.0, the platform failed to properly invalidate existing Socket.IO sessions when an administrative role was revoked or a user was deleted. This means a user whose admin privileges were removed could retain full administrative access for as long as their session remained active, continuously refreshed by automatic heartbeats.
This flaw, rated with a CVSS score of 8.1 (HIGH), stems from a lapse in session management (CWE-613). The issue is confined to the Socket.IO session cache, allowing a user to bypass intended privilege changes. The National Vulnerability Database confirms that this vulnerability is addressed in Open WebUI version 0.9.0.
The attacker’s calculus here is simple: once an admin account is compromised, or an insider’s privileges are revoked, the attacker has a window to maintain persistent, high-level access. Defenders must assume that privilege revocation is not immediate and active sessions remain a backdoor.
What This Means For You
- If your organization uses Open WebUI, you must immediately upgrade to version 0.9.0 or higher. This vulnerability allows former administrators or compromised accounts to retain full admin privileges, completely undermining your access controls. Audit all recent administrative privilege changes and user deletions, and consider forcing a logout of all active sessions post-upgrade.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Open WebUI Revoked Admin Session Persistence - CVE-2026-44553
title: Open WebUI Revoked Admin Session Persistence - CVE-2026-44553
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects continued POST requests to the Open WebUI Socket.IO endpoint after an administrative role change or user deletion. This indicates a revoked administrator may be maintaining their elevated privileges by keeping their existing session alive, as described in CVE-2026-44553.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44553/
tags:
- attack.privilege_escalation
- attack.t1134.001
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/socket.io/'
cs-method:
- 'POST'
sc-status:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44553 | Privilege Escalation | Open WebUI versions prior to 0.9.0 |
| CVE-2026-44553 | Auth Bypass | Open WebUI administrative role changes and user deletions not iterating SESSION_POOL |
| CVE-2026-44553 | Privilege Escalation | Open WebUI Socket.IO session cache vulnerability |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE
CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial...
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...