Open WebUI Socket.IO Event Handler Permission Bypass Vulnerability

A vulnerability exists in Open WebUI versions prior to 0.9.0, allowing read-only users to modify collaborative documents through the Socket.IO `ydoc:document:update` event. The event handler checks room membership but fails to verify write permissions. Read-only users can join document rooms and emit update events that alter the Yjs document state, with changes broadcasted to all collaborators in real time. Although the `document_save_handler` ensures write permissions before saving, the injected content becomes permanent if a user with write access saves the document.

Impact

This vulnerability allows read-only users to inject, modify, or delete content in collaborative documents, with real-time broadcasts to all collaborators. If a write-access user saves the document, the tampered content is permanently persisted, undermining the read/write permission model.

Reproduction

To reproduce this vulnerability, a user with read-only access must join a collaborative document room. Once in the room, the user can emit `ydoc:document:update` events with crafted Yjs update payloads via the Socket.IO connection. The server will apply these updates to the document state and broadcast the changes to all collaborators. If a user with write access saves the document, the injected content will be persisted.

Remediation

Users are advised to update Open WebUI to version 0.9.0 or later, where this vulnerability has been fixed.