Main Vulnerability Database Vulnerabilities #VU130243

Missing Authorization in Open WebUI - #VU130243

Published: May 6, 2026

Vulnerability identifier: #VU130243

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to modify or delete other users' messages.

The vulnerability exists due to missing authorization in the message update and delete endpoints when handling direct API requests for channel messages. A remote user can send crafted update or delete requests with a user-controlled message_id to modify or delete other users' messages.

Only instances with channels enabled are vulnerable. The issue affects users who have read access to a channel but do not own the target message.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-jxwr-g6r6-j3fx

Missing Authorization in Open WebUI - #VU130243

Detailed vulnerability description

Remediation

Sources

Please verify you're human