Authorization bypass through user-controlled key in Open WebUI - #VU130955
Published: May 11, 2026
Vulnerability identifier: #VU130955
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Open WebUI
Open WebUI
Software vendor:
Open WebUI
Open WebUI
Description
The vulnerability allows a remote user to modify other users' messages.
The vulnerability exists due to improper access control in the update_message_by_id API endpoint when handling update requests for group or dm channels. A remote user can send a crafted update request for another member's message to modify other users' messages.
The issue affects the Channels feature and only applies when that feature is enabled. Messages posted by administrators within the same channel can also be modified.
Remediation
Install security update from vendor's website.