GHSA-JXWR-G6R6-J3FX

Vulnerability from github – Published: 2026-05-11 14:04 – Updated: 2026-05-19 15:57
VLAI
Summary
Open WebUI's Insecure Message Access Breaks Authorization
Details

Description

There's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation.

While the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users' messages.

The vulnerability affects both message content modification and deletion, allowing users to tamper with message integrity and audit trails in collaborative channel environments.

Source - Sink Analysis

Source: User-controlled message_id parameter in URL path

Call Chain: 1. FastAPI route handlers update_message_by_id() (line 450) and delete_message_by_id() (line 630) in backend/open_webui/routers/channels.py 2. Channel-level authorization check: has_access(user.id, type="read", access_control=channel.access_control) at lines 457 and 637 3. Message retrieval: Messages.get_message_by_id(message_id) at lines 467 and 647
4. Channel ID validation: if message.channel_id != id: at lines 472 and 652 5. Missing: Message ownership validation (message.user_id == user.id) 6. Sink: Messages.update_message_by_id(message_id, form_data) at line 476 or Messages.delete_message_by_id(message_id) at line 658 - modifies any message without ownership verification

Proof of Concept

  1. Deploy Open WebUI with channels enabled (ENABLE_CHANNELS=true)
  2. Create scenario:
  3. User A creates a channel and grants User B read access
  4. User A posts a message in the channel
  5. User B observes the message_id from the frontend
  6. Exploit: User B sends direct API requests bypassing frontend controls:

Message Update:

curl -X POST "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/update" \
     -H "Authorization: Bearer {attacker_token}" \
     -H "Content-Type: application/json" \
     -d '{"content": "Malicious content injected by attacker"}'

Message Deletion:

curl -X DELETE "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/delete" \
     -H "Authorization: Bearer {attacker_token}"
  1. Result: Victim's message is modified or deleted despite User B only having read permissions

Impact

  • Users can modify other users' message content within shared channels
  • Read-only users gain write/delete capabilities over other users' content

Remediation

Implement proper message ownership validation in the update and delete endpoints by adding ownership checks that follow the established security pattern used throughout the codebase. First, add a validation condition after the existing message retrieval to ensure only message owners or admins can modify messages: if user.role != "admin" and message.user_id != user.id and not has_access(user.id, type="write", access_control=channel.access_control) then raise a 403 Forbidden exception. Second, change the existing permission check from type="read" to type="write" for both update and delete operations to align with the access control model used in other routers (notes, prompts, knowledge, etc.).

Severity
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.18"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:04:35Z",
    "nvd_published_at": "2026-05-15T22:16:53Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nThere\u0027s an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation.\n\nWhile the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users\u0027 messages.\n\nThe vulnerability affects both message content modification and deletion, allowing users to tamper with message integrity and audit trails in collaborative channel environments.\n\n### Source - Sink Analysis\n\n**Source:** User-controlled `message_id` parameter in URL path\n\n**Call Chain:**\n1. FastAPI route handlers `update_message_by_id()` (line 450) and `delete_message_by_id()` (line 630) in `backend/open_webui/routers/channels.py`\n2. Channel-level authorization check: `has_access(user.id, type=\"read\", access_control=channel.access_control)` at lines 457 and 637\n3. Message retrieval: `Messages.get_message_by_id(message_id)` at lines 467 and 647  \n4. Channel ID validation: `if message.channel_id != id:` at lines 472 and 652\n5. **Missing:** Message ownership validation (`message.user_id == user.id`)\n6. **Sink:** `Messages.update_message_by_id(message_id, form_data)` at line 476 or `Messages.delete_message_by_id(message_id)` at line 658 - modifies any message without ownership verification\n\n### Proof of Concept\n\n1. Deploy Open WebUI with channels enabled (`ENABLE_CHANNELS=true`)\n2. Create scenario:\n   - User A creates a channel and grants User B read access\n   - User A posts a message in the channel\n   - User B observes the message_id from the frontend\n3. Exploit: User B sends direct API requests bypassing frontend controls:\n\nMessage Update:\n```bash\ncurl -X POST \"http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/update\" \\\n     -H \"Authorization: Bearer {attacker_token}\" \\\n     -H \"Content-Type: application/json\" \\\n     -d \u0027{\"content\": \"Malicious content injected by attacker\"}\u0027\n```\n\nMessage Deletion:\n```bash\ncurl -X DELETE \"http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/delete\" \\\n     -H \"Authorization: Bearer {attacker_token}\"\n```\n\n4. Result: Victim\u0027s message is modified or deleted despite User B only having read permissions\n\n### Impact\n\n- Users can modify other users\u0027 message content within shared channels\n- Read-only users gain write/delete capabilities over other users\u0027 content\n\n### Remediation\n\nImplement proper message ownership validation in the update and delete endpoints by adding ownership checks that follow the established security pattern used throughout the codebase. First, add a validation condition after the existing message retrieval to ensure only message owners or admins can modify messages: `if user.role != \"admin\" and message.user_id != user.id and not has_access(user.id, type=\"write\", access_control=channel.access_control)` then raise a 403 Forbidden exception. Second, change the existing permission check from `type=\"read\"` to `type=\"write\"` for both update and delete operations to align with the access control model used in other routers (notes, prompts, knowledge, etc.).",
  "id": "GHSA-jxwr-g6r6-j3fx",
  "modified": "2026-05-19T15:57:42Z",
  "published": "2026-05-11T14:04:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jxwr-g6r6-j3fx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44569"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI\u0027s Insecure Message Access Breaks Authorization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.