What happened
From 0.9.0 before 0.10.0, with Redis configured, Socket.IO connect, user-join, join-channels, join-note, and terminal-websocket first-message authentication used decode_token without checking the Redis-backed is_valid_token revocation state, meaning revoked/logged-out tokens remained usable for these code paths.
Why it matters
Token revocation is a core security control for terminating compromised sessions; this flaw means an attacker holding a revoked token (e.g., from a logged-out or force-revoked account) can still authenticate to real-time channels and the embedded terminal, undermining incident response containment for a self-hosted AI platform.
Attack vector
Revoked JWT token still passes decode_token check for Socket.IO/terminal auth because Redis-backed is_valid_token revocation state is not consulted
Affected systems
Open WebUI 0.9.0 to < 0.10.0 (with Redis configured)
Mitigation
Upgrade to Open WebUI ≥0.10.0