Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Deactivated Channel Members Retain Full Access to Group/DM Channels
Affected Component
Channel membership authorization check:
backend/open_webui/models/channels.py(lines 663-673,is_user_channel_member)- Used at 15 locations in
backend/open_webui/routers/channels.py
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions with the group/DM channel feature.
Description
The is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls.
The channel correctly disappears from the deactivated user's channel list (the listing query at get_channels_by_user_id properly filters on is_active), but all 15 message-level endpoints in the router rely on is_user_channel_member for authorization, which does not filter on is_active.
# models/channels.py:663 - missing is_active check
def is_user_channel_member(self, channel_id, user_id, db=None):
membership = db.query(ChannelMember).filter(
ChannelMember.channel_id == channel_id,
ChannelMember.user_id == user_id,
).first()
return membership is not None
# True even when is_active=FalseCompare with get_channel_by_id_and_user_id (line 778) which correctly checks ChannelMember.is_active.is_(True).
CVSS 3.1 Breakdown
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network (N) | Exploited remotely via API calls |
| Attack Complexity | Low (L) | No special conditions beyond knowing the channel ID (which the user had as a former member) |
| Privileges Required | Low (L) | Requires a valid user account and prior channel membership |
| User Interaction | None (N) | No victim interaction required |
| Scope | Unchanged (U) | Impact is within the same authorization boundary (the channel) |
| Confidentiality | Low (L) | Can read messages in a channel the user should no longer access |
| Integrity | Low (L) | Can post, edit, and delete messages in the channel |
| Availability | None (N) | No denial of service |
Attack Scenario
- User A and User B are members of a private group channel.
- The channel owner removes User B (or User B leaves). User B's membership is set to
is_active=False, status='left'. - The channel disappears from User B's UI - but User B noted the channel ID while they were a member.
- User B calls the API directly:
GET /api/v1/channels/{channel_id}/messages- reads all messages, including those posted after deactivationPOST /api/v1/channels/{channel_id}/messages/post- posts new messagesPOST /api/v1/channels/{channel_id}/messages/{id}/update- edits messagesDELETE /api/v1/channels/{channel_id}/messages/{id}/delete- deletes messages
- All requests succeed because
is_user_channel_memberreturnsTrue.
Impact
- Deactivated users can continue reading all new messages posted after their removal (confidentiality breach)
- Deactivated users can post, edit, and delete messages (integrity breach)
- The deactivation mechanism provides a false sense of security - channel owners believe removed users have lost access
Preconditions
- Channels feature must be enabled (disabled by default)
- Attacker must have a valid user account
- Attacker must have been a member of the channel at some point (and thus knows the channel ID)
Recommended Fix
Add is_active filtering to is_user_channel_member:
def is_user_channel_member(self, channel_id, user_id, db=None):
membership = db.query(ChannelMember).filter(
ChannelMember.channel_id == channel_id,
ChannelMember.user_id == user_id,
ChannelMember.is_active.is_(True),
).first()
return membership is not NoneThis aligns it with the existing get_channel_by_id_and_user_id method which already applies this filter correctly.
Analysis
Deactivated Channel Members Retain Full Access to Group/DM Channels
Affected Component
Channel membership authorization check:
backend/open_webui/models/channels.py(lines 663-673,is_user_channel_member)- Used at 15 locations in
backend/open_webui/routers/channels.py
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions with the group/DM channel feature.
Description
The is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls.
The channel correctly disappears from the deactivated user's channel list (the listing query at get_channels_by_user_id properly filters on is_active), but all 15 message-level endpoints in the router rely on is_user_channel_member for authorization, which does not filter on is_active.
# models/channels.py:663 - missing is_active check
def is_user_channel_member(self, channel_id, user_id, db=None):
membership = db.query(ChannelMember).filter(
ChannelMember.channel_id == channel_id,
ChannelMember.user_id == user_id,
).first()
return membership is not None
# True even when is_active=FalseCompare with get_channel_by_id_and_user_id (line 778) which correctly checks ChannelMember.is_active.is_(True).
CVSS 3.1 Breakdown
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network (N) | Exploited remotely via API calls |
| Attack Complexity | Low (L) | No special conditions beyond knowing the channel ID (which the user had as a former member) |
| Privileges Required | Low (L) | Requires a valid user account and prior channel membership |
| User Interaction | None (N) | No victim interaction required |
| Scope | Unchanged (U) | Impact is within the same authorization boundary (the channel) |
| Confidentiality | Low (L) | Can read messages in a channel the user should no longer access |
| Integrity | Low (L) | Can post, edit, and delete messages in the channel |
| Availability | None (N) | No denial of service |
Attack Scenario
- User A and User B are members of a private group channel.
- The channel owner removes User B (or User B leaves). User B's membership is set to
is_active=False, status='left'. - The channel disappears from User B's UI - but User B noted the channel ID while they were a member.
- User B calls the API directly:
GET /api/v1/channels/{channel_id}/messages- reads all messages, including those posted after deactivationPOST /api/v1/channels/{channel_id}/messages/post- posts new messagesPOST /api/v1/channels/{channel_id}/messages/{id}/update- edits messagesDELETE /api/v1/channels/{channel_id}/messages/{id}/delete- deletes messages
- All requests succeed because
is_user_channel_memberreturnsTrue.
Impact
- Deactivated users can continue reading all new messages posted after their removal (confidentiality breach)
- Deactivated users can post, edit, and delete messages (integrity breach)
- The deactivation mechanism provides a false sense of security - channel owners believe removed users have lost access
Preconditions
- Channels feature must be enabled (disabled by default)
- Attacker must have a valid user account
- Attacker must have been a member of the channel at some point (and thus knows the channel ID)
Recommended Fix
Add is_active filtering to is_user_channel_member:
def is_user_channel_member(self, channel_id, user_id, db=None):
membership = db.query(ChannelMember).filter(
ChannelMember.channel_id == channel_id,
ChannelMember.user_id == user_id,
ChannelMember.is_active.is_(True),
).first()
return membership is not NoneThis aligns it with the existing get_channel_by_id_and_user_id method which already applies this filter correctly.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30619
GHSA-hmgr-67hw-j2cq