The vulnerability resides in the ydoc:document:join Socket.IO handler of Open WebUI. Prior to version 0.8.11, the server performs an ownership check only when the document identifier begins with a colon. Because the storage layer replaces colons with underscores, an authenticated user can join a room using the underscore notation, bypassing the authorization check and receiving the full Yjs document state. The server then returns the full document state, leaking the victim's private note contents. This flaw is an example of Improper Authorization (CWE‑863) and Hijacked Access Control (CWE‑706). The issue has been fixed in 0.8.11.

Any installation of Open WebUI running a version earlier than 0.8.11 is affected. The product is the open-webui open-webui platform, deployed by self‑hosted users of the AI framework.

The CVSS score of 5.3 reflects a medium impact for confidentiality. The vulnerability is exploitable only by users who have already gained legitimate authentication to the system, but once authenticated, malicious users can retrieve sensitive data of other accounts by manipulating the socket room name. No public exploit has been reported and the issue is not listed in the CISA KEV catalog; EPSS data is absent. An attacker must discover or guess a valid note ID, so the risk is moderated by the need for knowledge of the target’s note identifiers, but the data exposed can be highly sensitive.