Skip to main content

Open WebUI CVE-2026-44569

HIGH
Missing Authorization (CWE-862)
2026-05-11 https://github.com/open-webui/open-webui GHSA-jxwr-g6r6-j3fx
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 14:30 vuln.today
Analysis Generated
May 11, 2026 - 14:30 vuln.today
CVE Published
May 11, 2026 - 14:04 nvd
HIGH 7.1

DescriptionGitHub Advisory

Description

There's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation.

While the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users' messages.

The vulnerability affects both message content modification and deletion, allowing users to tamper with message integrity and audit trails in collaborative channel environments.

Source - Sink Analysis

Source: User-controlled message_id parameter in URL path

Call Chain:

  1. FastAPI route handlers update_message_by_id() (line 450) and delete_message_by_id() (line 630) in backend/open_webui/routers/channels.py
  2. Channel-level authorization check: has_access(user.id, type="read", access_control=channel.access_control) at lines 457 and 637
  3. Message retrieval: Messages.get_message_by_id(message_id) at lines 467 and 647
  4. Channel ID validation: if message.channel_id != id: at lines 472 and 652
  5. Missing: Message ownership validation (message.user_id == user.id)
  6. Sink: Messages.update_message_by_id(message_id, form_data) at line 476 or Messages.delete_message_by_id(message_id) at line 658 - modifies any message without ownership verification

Proof of Concept

  1. Deploy Open WebUI with channels enabled (ENABLE_CHANNELS=true)
  2. Create scenario:
  • User A creates a channel and grants User B read access
  • User A posts a message in the channel
  • User B observes the message_id from the frontend
  1. Exploit: User B sends direct API requests bypassing frontend controls:

Message Update:

bash
curl -X POST "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/update" \
     -H "Authorization: Bearer {attacker_token}" \
     -H "Content-Type: application/json" \
     -d '{"content": "Malicious content injected by attacker"}'

Message Deletion:

bash
curl -X DELETE "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/delete" \
     -H "Authorization: Bearer {attacker_token}"
  1. Result: Victim's message is modified or deleted despite User B only having read permissions

Impact

  • Users can modify other users' message content within shared channels
  • Read-only users gain write/delete capabilities over other users' content

Remediation

Implement proper message ownership validation in the update and delete endpoints by adding ownership checks that follow the established security pattern used throughout the codebase. First, add a validation condition after the existing message retrieval to ensure only message owners or admins can modify messages: if user.role != "admin" and message.user_id != user.id and not has_access(user.id, type="write", access_control=channel.access_control) then raise a 403 Forbidden exception. Second, change the existing permission check from type="read" to type="write" for both update and delete operations to align with the access control model used in other routers (notes, prompts, knowledge, etc.).

AnalysisAI

Insecure Direct Object Reference (IDOR) in Open WebUI allows authenticated users with read-only channel access to modify or delete any message in those channels, bypassing frontend ownership controls through direct API calls. The vulnerability affects the channels feature in Open WebUI versions ≤0.6.18, exploiting missing message ownership validation in backend FastAPI endpoints despite correct frontend access control implementation. Publicly available exploit code exists with detailed proof-of-concept demonstrating privilege escalation from read to write/delete permissions. Vendor-released patch available in version 0.6.19.

Technical ContextAI

Open WebUI is a Python-based web interface (FastAPI framework) for LLM interactions with collaborative channel features. The vulnerability exists in backend/open_webui/routers/channels.py at the message update (line 450) and delete (line 630) endpoints. The affected code implements CWE-862 (Missing Authorization) by validating channel-level access but omitting resource-level ownership checks. The FastAPI route handlers perform channel access validation using has_access(user.id, type='read') but fail to verify message.user_id matches the requesting user.id before allowing modification operations. This creates a client-side security control bypass where frontend ownership checks (edit/delete button visibility) have no corresponding server-side enforcement, allowing direct API manipulation. The pkg:pip/open-webui package distributed via Python Package Index is affected across all deployments with ENABLE_CHANNELS=true configuration.

RemediationAI

Upgrade to Open WebUI version 0.6.19 which addresses the missing authorization checks per GitHub security advisory GHSA-jxwr-g6r6-j3fx (https://github.com/open-webui/open-webui/security/advisories/GHSA-jxwr-g6r6-j3fx). The patch implements message ownership validation following established codebase patterns by adding conditional checks: if user.role != 'admin' and message.user_id != user.id and not has_access(user.id, type='write', access_control=channel.access_control) then raise HTTP 403 Forbidden. Additionally, permission checks changed from type='read' to type='write' for update/delete operations to align with access control models used in other routers. If immediate patching is not feasible, disable channels functionality by setting ENABLE_CHANNELS=false in deployment configuration until upgrade can be completed. Alternatively, implement API gateway rules to enforce message ownership validation at the reverse proxy layer by correlating Authorization token claims with message.user_id from database lookups before proxying update/delete requests, though this adds operational complexity and latency. Review audit logs for suspicious message modification patterns (users modifying messages they did not create) to identify potential exploitation during vulnerable period.

Share

CVE-2026-44569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy