CVE-2026-44564 Open WebUI: Read-Only Users Can Modify Collaborative Documents via Socket.IO

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room line 678 but does not verify that the sender has write...

CVE-2026-44564

Open WebUI (self-hosted offline AI platform) contains a vulnerability in the ydoc:document:update Socket.IO handler that allows read-only users to modify in-memory Yjs documents. The handler validates room membership but does not verify write permission, and read-only users join the document room...

The vulnerability of the mobile application for collaborative work with documents, IBM Navigator Mobile for Android operating systems, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the IBM Navigator Mobile mobile application for collaborative document work on Android operating systems is related to authentication errors. Exploiting this vulnerability can allow an attacker to gain unauthorized access to protected information...