VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-yysb-dk2k-f7g4

Essentials
Severities (12)
References (5)
Severity details (9)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-yysb-dk2k-f7g4
Aliases	CVE-2026-44553 GHSA-45m8-cpm2-3v65
Summary	Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privileges within their existing Socket.IO session for as long as they keep the connection alive (via automatic heartbeats). The gap is exclusive to the Socket.IO session cache. This vulnerability is fixed in 0.9.0.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-613	Insufficient Session Expiration
CWE-384	Session Fixation
CWE-863	Incorrect Authorization
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-44553
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-44553
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2026-44553
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-45m8-cpm2-3v65
cvssv3.1	8.1	https://github.com/open-webui/open-webui
generic_textual	HIGH	https://github.com/open-webui/open-webui
cvssv3.1	8.1	https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65
cvssv3.1_qr	HIGH	https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65
generic_textual	HIGH	https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65
ssvc	Track	https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2026-44553
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-44553

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-44553
		https://github.com/open-webui/open-webui
		https://nvd.nist.gov/vuln/detail/CVE-2026-44553
GHSA-45m8-cpm2-3v65		https://github.com/advisories/GHSA-45m8-cpm2-3v65
GHSA-45m8-cpm2-3v65		https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/open-webui/open-webui

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-19T03:55:42Z/ Found at https://github.com/open-webui/open-webui/security/advisories/GHSA-45m8-cpm2-3v65

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-44553

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.10234
EPSS Score	0.00033
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:42:41.423206+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/44xxx/CVE-2026-44553.json	38.6.0