SB2026050630 - Multiple vulnerabilities in Open WebUI

Description

This security bulletin contains information about 2 vulnerabilities.

1) Authorization bypass through user-controlled key (CVE-ID: N/A)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information and modify other users' memories.

The vulnerability exists due to improper access control in the memories API when handling requests to memory query, update, and delete endpoints. A remote user can send crafted API requests using another user's memory identifier to disclose sensitive information and modify other users' memories.

The issue can expose memory contents and associated user ID values, and deleted memories can be restored through the update endpoint.

2) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify or delete other users' messages.

The vulnerability exists due to missing authorization in the message update and delete endpoints when handling direct API requests for channel messages. A remote user can send crafted update or delete requests with a user-controlled message_id to modify or delete other users' messages.

Only instances with channels enabled are vulnerable. The issue affects users who have read access to a channel but do not own the target message.

Remediation

Install update from vendor's website.

References

• https://github.com/open-webui/open-webui/security/advisories/GHSA-hmjq-crxp-7rjw
• https://github.com/open-webui/open-webui/security/advisories/GHSA-jxwr-g6r6-j3fx