What happened
Open WebUI's get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after only checking that the session was connected, allowing authenticated users who learn or guess another user's session_id to trigger code/tool execution events within that other user's session context.
Why it matters
This allows lateral privilege abuse between users in a shared Open WebUI deployment — a lower-privileged authenticated user could hijack the code-execution or tool-execution context of another session, undermining per-user isolation in a self-hosted AI platform used for code execution and tool-calling.
Attack vector
Authenticated attacker who learns another user's session_id sends execute:python/execute:tool Socket.IO events targeting that session_id, bypassing per-session isolation
Affected systems
Open WebUI 0.9.6 to < 0.10.0
Mitigation
Upgrade to Open WebUI ≥0.10.0