CVE-2026-59715
Open WebUI (self-hosted AI platform) versions 0.6.16–0.10.0 expose unauthenticated access via Socket.IO due to always_connect=True, allowing unauthorized manipulation of ydoc:awareness:update and ydoc:document:leave collaborative-doc events. This is fixed in 0.10.0; upgrade to 0.10.0 or later to ...