Vulnerability  ·  2026-07-11

Open WebUI — Session Hijack Enables Unauthorized execute:python/execute:tool via Client-Supplied session_id (CVSS 7.7)

VulnerabilityHigh impactGlobalCVE-2026-59216
Open WebUI's get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after only checking that the session was connected, allowing authenticated users who learn or guess another user's session_id to trigger code/tool execution events within that other user's session context.
This allows lateral privilege abuse between users in a shared Open WebUI deployment — a lower-privileged authenticated user could hijack the code-execution or tool-execution context of another session, undermining per-user isolation in a self-hosted AI platform used for code execution and tool-calling.
Authenticated attacker who learns another user's session_id sends execute:python/execute:tool Socket.IO events targeting that session_id, bypassing per-session isolation
Open WebUI 0.9.6 to < 0.10.0
Upgrade to Open WebUI ≥0.10.0
GitHub commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →