Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An attacker who knows a chat session UUID can kill another user's LLM generation mid-stream. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6.
AnalysisAI
Onyx versions before 3.0.9, 3.1.6, and 3.2.6 permit authenticated users to terminate any other user's active chat session via the POST /chat/stop-chat-session/{chat_session_id} endpoint without verifying session ownership. An attacker with valid credentials can interrupt another user's LLM generation mid-stream by supplying a known session UUID, causing denial of service to targeted chat sessions. Vendor-released patches are available, and no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
Onyx is an open-source AI platform built to manage and interact with large language models. The vulnerability stems from an insecure direct object reference (IDOR) flaw in the chat session termination endpoint. The endpoint (POST /chat/stop-chat-session/{chat_session_id}) validates that the caller is an authenticated user via the PR:L (requires low privilege) requirement but fails to perform authorization checks confirming the caller owns or has permission to access the specified chat session UUID. This is a classic broken access control vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key). The session ID is likely a UUID predictable or discoverable through information disclosure, allowing attackers to enumerate and terminate sessions belonging to any user in the system.
RemediationAI
Upgrade Onyx to version 3.0.9, 3.1.6, or 3.2.6 (or later) depending on your current major/minor version branch. These releases include authorization checks confirming that the authenticated user owns the chat session before permitting termination. Refer to the GitHub security advisory at https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-rw6w-hp62-gc8w for detailed release notes. As a temporary compensating control pending upgrade, restrict access to the POST /chat/stop-chat-session endpoint at the API gateway or reverse proxy layer to a trusted administrator role only, though this will prevent legitimate users from terminating their own sessions and should be considered a stop-gap measure, not a permanent solution.
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search p
NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cau
NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in the LDAP AAA component, where a us
NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter
Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. Rate
Onyx versions prior to 3.0.9, 3.1.6, and 3.2.6 expose an authorization bypass in the GET /chat/file/{file_id} endpoint t
SQL injection in Onyx Chat Interface allows authenticated remote attackers to manipulate database queries via the genera
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary Ja
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. Rated high severity (CVSS 8.1), t
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28524