GHSA-C7WP-3QH5-55PV

Vulnerability from github – Published: 2026-05-08 19:51 – Updated: 2026-05-08 19:51
VLAI?
Summary
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels
Details

Missing Access Check on Channel Members Endpoint for Standard Channels

Affected Component

Channel members listing endpoint: - backend/open_webui/routers/channels.py (lines 445-507, get_channel_members_by_id)

Affected Versions

Current main branch and likely all versions with the channels feature.

Description

The GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private ones — there is no channel_has_access check before returning the member list. Any authenticated user who knows a private channel's UUID can enumerate all users with access to that channel.

# Line 467-469: only group/dm channels are checked
if channel.type in ['group', 'dm']:
    if not Channels.is_user_channel_member(channel.id, user.id, db=db):
        raise HTTPException(...)
# Standard channels fall through with NO access check

Compare with other channel endpoints (e.g., get_channel_messages at line 688) which correctly call channel_has_access(user.id, channel, permission='read') for standard channels.

CVSS 3.1 Breakdown

Metric Value Rationale
Attack Vector Network (N) Exploited remotely via API call
Attack Complexity Low (L) Single API call, no special conditions
Privileges Required Low (L) Requires a valid user account
User Interaction None (N) No victim interaction required
Scope Unchanged (U) Impact is within the channel authorization boundary
Confidentiality Low (L) Leaks user identities and details for a private channel
Integrity None (N) No data modification
Availability None (N) No denial of service

Attack Scenario

  1. Attacker obtains a private standard channel's UUID (via logs, browser history, URL observation, or other API responses).
  2. Attacker calls GET /api/v1/channels/{id}/members.
  3. The server returns the full list of permitted users including their IDs, names, emails, roles, and profile images.
  4. The attacker has no access to the channel's messages (those endpoints check access correctly), but now knows exactly who does.

Impact

  • Leaks the identity and personal details of every user with access to a private channel
  • Reveals organizational structure and project assignments
  • Enables targeted social engineering against channel members

Preconditions

  • Channels feature must be enabled (disabled by default)
  • Attacker must know the channel UUID (not guessable, but obtainable through indirect means)
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:51:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Missing Access Check on Channel Members Endpoint for Standard Channels\n\n## Affected Component\n\nChannel members listing endpoint:\n- `backend/open_webui/routers/channels.py` (lines 445-507, `get_channel_members_by_id`)\n\n## Affected Versions\n\nCurrent main branch and likely all versions with the channels feature.\n\n## Description\n\nThe `GET /api/v1/channels/{id}/members` endpoint only checks membership for `group` and `dm` channel types (lines 467-469). For standard channels \u2014 including private ones \u2014 there is no `channel_has_access` check before returning the member list. Any authenticated user who knows a private channel\u0027s UUID can enumerate all users with access to that channel.\n\n```python\n# Line 467-469: only group/dm channels are checked\nif channel.type in [\u0027group\u0027, \u0027dm\u0027]:\n    if not Channels.is_user_channel_member(channel.id, user.id, db=db):\n        raise HTTPException(...)\n# Standard channels fall through with NO access check\n```\n\nCompare with other channel endpoints (e.g., `get_channel_messages` at line 688) which correctly call `channel_has_access(user.id, channel, permission=\u0027read\u0027)` for standard channels.\n\n## CVSS 3.1 Breakdown\n\n| Metric | Value | Rationale |\n|--------|-------|-----------|\n| Attack Vector | Network (N) | Exploited remotely via API call |\n| Attack Complexity | Low (L) | Single API call, no special conditions |\n| Privileges Required | Low (L) | Requires a valid user account |\n| User Interaction | None (N) | No victim interaction required |\n| Scope | Unchanged (U) | Impact is within the channel authorization boundary |\n| Confidentiality | Low (L) | Leaks user identities and details for a private channel |\n| Integrity | None (N) | No data modification |\n| Availability | None (N) | No denial of service |\n\n## Attack Scenario\n\n1. Attacker obtains a private standard channel\u0027s UUID (via logs, browser history, URL observation, or other API responses).\n2. Attacker calls `GET /api/v1/channels/{id}/members`.\n3. The server returns the full list of permitted users including their IDs, names, emails, roles, and profile images.\n4. The attacker has no access to the channel\u0027s messages (those endpoints check access correctly), but now knows exactly who does.\n\n## Impact\n\n- Leaks the identity and personal details of every user with access to a private channel\n- Reveals organizational structure and project assignments\n- Enables targeted social engineering against channel members\n\n## Preconditions\n\n- Channels feature must be enabled (disabled by default)\n- Attacker must know the channel UUID (not guessable, but obtainable through indirect means)",
  "id": "GHSA-c7wp-3qh5-55pv",
  "modified": "2026-05-08T19:51:48Z",
  "published": "2026-05-08T19:51:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-c7wp-3qh5-55pv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.