Main Vulnerability Database Vulnerabilities #VU130177

Improper Authorization in Open WebUI - #VU130177

Published: May 5, 2026

Vulnerability identifier: #VU130177

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to read channel messages and modify channel messages after deactivation.

The vulnerability exists due to improper access control in is_user_channel_member authorization check in backend/open_webui/models/channels.py when handling direct API requests to group or DM channel message endpoints. A remote user can send crafted API requests to read channel messages and modify channel messages after deactivation.

Only instances with the channels feature enabled are vulnerable. Exploitation requires prior membership in the target channel and knowledge of the channel ID.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-hmgr-67hw-j2cq

Improper Authorization in Open WebUI - #VU130177

Detailed vulnerability description

Remediation

Sources

Please verify you're human