Insufficient Session Expiration Affecting open-webui package, versions [,0.3.33)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Insufficient Session Expiration vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-OPENWEBUI-16691311
- published14 May 2026
- disclosed11 May 2026
- credit@Kwstubbs (Kevin Stubbings).
Introduced: 11 May 2026
New CVE NOT AVAILABLE CWE-613 (opens in a new tab)How to fix?
Upgrade open-webui to version 0.3.33 or higher.
Overview
open-webui is an Open WebUI
Affected versions of this package are vulnerable to Insufficient Session Expiration via misconfiguration of the CORSMiddleware module and improper session management. An attacker can gain unauthorized access and execute arbitrary code by enticing an authenticated administrator to interact with a malicious website, which leverages cross-origin requests to the application. This can result in full compromise of the container when the application is running with elevated privileges. Session cookies are not invalidated upon logout, allowing attackers with access to previous session details to reuse them for unauthorized access.