GHSA-7RJH-PX4V-5W55

Vulnerability from github – Published: 2026-05-08 19:50 – Updated: 2026-05-08 19:50
VLAI?
Summary
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
Details

Channel Access Grants Bypass filter_allowed_access_grants

Affected Component

Channel creation and update endpoints: - backend/open_webui/routers/channels.py (lines 291-340, create_new_channel) - backend/open_webui/routers/channels.py (lines 617-638, update_channel_by_id) - backend/open_webui/models/channels.py (lines 825-826, set_access_grants call without filtering)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions supporting user-created group channels with access grants.

Description

All resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call filter_allowed_access_grants() before persisting access grants. This function strips principal_id: "*" wildcard grants from users who lack the relevant sharing.public_* permission, and strips individual user grants from users who lack access_grants.allow_users permission.

The channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework.

# channels.py — access_grants from form data flow directly into persistence
# No call to filter_allowed_access_grants() anywhere in these paths.

# Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py,
# all of which do:
#     form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants)
# before creating or updating.

Attack Scenario

  1. Admin configures permissions so that regular users do NOT have sharing.public_channels — public sharing of channels is intended to be admin-only.
  2. Attacker (a regular user) creates or owns a group channel.
  3. Attacker sends: POST /api/v1/channels/ { "name": "public-channel", "type": "group", "access_control": { "access_grants": [ {"principal_type": "user", "principal_id": "*", "permission": "read"} ] } }
  4. set_access_grants is called directly without filter_allowed_access_grants — the wildcard grant is persisted.
  5. The channel becomes publicly readable to every user on the instance, despite the admin's policy prohibiting public channels for regular users.

The same attack works via POST /api/v1/channels/{id}/update for any channel the attacker owns.

Impact

  • Regular users can bypass the sharing.public_channels permission and make channels publicly accessible
  • Regular users can bypass access_grants.allow_users to grant individual-user access in environments where only group-based sharing is intended
  • Admin's permission framework for channels is silently ineffective
  • Creates an inconsistency with every other resource type in the codebase, making the security posture harder to reason about

Preconditions

  • Attacker must have an account with the ability to create group channels (default user capability), or ownership of an existing channel
  • Admin must have configured restrictive sharing permissions for regular users (otherwise there's no policy to bypass)
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:50:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Channel Access Grants Bypass filter_allowed_access_grants\n\n## Affected Component\n\nChannel creation and update endpoints:\n- `backend/open_webui/routers/channels.py` (lines 291-340, `create_new_channel`)\n- `backend/open_webui/routers/channels.py` (lines 617-638, `update_channel_by_id`)\n- `backend/open_webui/models/channels.py` (lines 825-826, `set_access_grants` call without filtering)\n\n## Affected Versions\n\nCurrent main branch (commit `6fdd19bf1`) and likely all versions supporting user-created group channels with access grants.\n\n## Description\n\nAll resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call `filter_allowed_access_grants()` before persisting access grants. This function strips `principal_id: \"*\"` wildcard grants from users who lack the relevant `sharing.public_*` permission, and strips individual user grants from users who lack `access_grants.allow_users` permission.\n\nThe channel router does not call `filter_allowed_access_grants` on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants \u2014 including public wildcard grants \u2014 and those grants are stored verbatim, bypassing the admin\u0027s permission framework.\n\n```python\n# channels.py \u2014 access_grants from form data flow directly into persistence\n# No call to filter_allowed_access_grants() anywhere in these paths.\n\n# Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py,\n# all of which do:\n#     form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants)\n# before creating or updating.\n```\n\n## Attack Scenario\n\n1. Admin configures permissions so that regular users do NOT have `sharing.public_channels` \u2014 public sharing of channels is intended to be admin-only.\n2. Attacker (a regular user) creates or owns a group channel.\n3. Attacker sends:\n   ```\n   POST /api/v1/channels/\n   {\n     \"name\": \"public-channel\",\n     \"type\": \"group\",\n     \"access_control\": {\n       \"access_grants\": [\n         {\"principal_type\": \"user\", \"principal_id\": \"*\", \"permission\": \"read\"}\n       ]\n     }\n   }\n   ```\n4. `set_access_grants` is called directly without `filter_allowed_access_grants` \u2014 the wildcard grant is persisted.\n5. The channel becomes publicly readable to every user on the instance, despite the admin\u0027s policy prohibiting public channels for regular users.\n\nThe same attack works via `POST /api/v1/channels/{id}/update` for any channel the attacker owns.\n\n## Impact\n\n- Regular users can bypass the `sharing.public_channels` permission and make channels publicly accessible\n- Regular users can bypass `access_grants.allow_users` to grant individual-user access in environments where only group-based sharing is intended\n- Admin\u0027s permission framework for channels is silently ineffective\n- Creates an inconsistency with every other resource type in the codebase, making the security posture harder to reason about\n\n## Preconditions\n\n- Attacker must have an account with the ability to create group channels (default user capability), or ownership of an existing channel\n- Admin must have configured restrictive sharing permissions for regular users (otherwise there\u0027s no policy to bypass)",
  "id": "GHSA-7rjh-px4v-5w55",
  "modified": "2026-05-08T19:50:51Z",
  "published": "2026-05-08T19:50:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rjh-px4v-5w55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI\u0027s Channel Access Grants Bypass filter_allowed_access_grants"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.