CVE-2026-44558: open-webui: permission bypass exposes channels publicly

# Channel Access Grants Bypass filter_allowed_access_grants ## Affected Component Channel creation and update endpoints: - `backend/open_webui/routers/channels.py` (lines 291-340, `create_new_channel`) - `backend/open_webui/routers/channels.py` (lines 617-638, `update_channel_by_id`) - `backend/open_webui/models/channels.py` (lines 825-826, `set_access_grants` call without filtering) ## Affected Versions Current main branch (commit `6fdd19bf1`) and likely all versions supporting user-created group channels with access grants. ## Description All resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call `filter_allowed_access_grants()` before persisting access grants. This function strips `principal_id: "*"` wildcard grants from users who lack the relevant `sharing.public_*` permission, and strips individual user grants from users who lack `access_grants.allow_users` permission. The channel router does not call `filter_allowed_access_grants` on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework. ```python # channels.py — access_grants from form data flow directly into persistence # No call to filter_allowed_access_grants() anywhere in these paths. # Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py, # all of which do: # form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants) # before creating or updating. ``` ## Attack Scenario 1. Admin configures permissions so that regular users do NOT have `sharing.public_channels` — public sharing of channels is intended to be admin-only. 2. Attacker (a regular user) creates or owns a group channel. 3. Attacker sends: ``` POST /api/v1/channels/ { "name": "public-channel", "type": "group", "access_control": { "access_grants": [ {"principal_type": "user", "principal_id": "*", "permission": "read"} ] } } ``` 4. `set_access_grants` is called directly without `filter_allowed_access_grants` — the wildcard grant is persisted. 5. The channel becomes publicly readable to every user on the instance, despite the admin's policy prohibiting public channels for regular users. The same attack works via `POST /api/v1/channels/{id}/update` for any channel the attacker owns. ## Impact - Regular users can bypass the `sharing.public_channels` permission and make channels publicly accessible - Regular users can bypass `access_grants.allow_users` to grant individual-user access in environments where only group-based sharing is intended - Admin's permission framework for channels is silently ineffective - Creates an inconsistency with every other resource type in the codebase, making the security posture harder to reason about ## Preconditions - Attacker must have an account with the ability to create group channels (default user capability), or ownership of an existing channel - Admin must have configured restrictive sharing permissions for regular users (otherwise there's no policy to bypass)

A regular employee at a company running Open WebUI as their internal AI assistant platform notices that the admin has disabled public channel sharing for non-admins. The attacker, familiar with REST APIs, inspects the network traffic and crafts a direct POST request to `/api/v1/channels/` with a payload including `access_grants: [{principal_type: 'user', principal_id: '*', permission: 'read'}]`. Because the channel router does not call `filter_allowed_access_grants()`, the wildcard grant is stored verbatim. The attacker's newly created channel — which they can populate with sensitive content or use to monitor others' AI interactions — is now readable by every user on the instance. The admin's permission policy that was supposed to prevent exactly this is silently bypassed with no log entry indicating a policy violation.