Authorization bypass through user-controlled key in Open WebUI - #VU136847
Published: July 3, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key in the channel thread message retrieval logic when handling a thread request with a caller-supplied message id. A remote user can request a thread in an accessible channel while supplying a private channel's message id as the thread root to disclose sensitive information.
The issue can expose the message content, channel id, and author metadata from a private channel, and direct access to the victim channel may still be denied.