AI Threat Alert

CVE-2026-44569: Open WebUI: IDOR enables cross-user message tampering

GHSA-jxwr-g6r6-j3fx HIGH CISA: TRACK*
Published May 11, 2026
CISO Take

Open WebUI contains an Insecure Direct Object Reference vulnerability where any authenticated user with read-only channel access can silently modify or delete other users' messages by calling backend APIs directly, completely bypassing frontend ownership checks. With a CVSS score of 7.1 (High), low attack complexity, and no privileges beyond a basic account required, exploitation is trivial — a single curl command is sufficient, as demonstrated in the published advisory PoC. Organizations using Open WebUI for collaborative AI workflows face silent corruption of shared prompts, instructions, and audit trails, with no visible attribution change to alert administrators. This package has accumulated 57 CVEs, a pattern that warrants serious scrutiny; patch to version 0.6.19 immediately, or disable channels via ENABLE_CHANNELS=false as a temporary workaround.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for multi-user Open WebUI deployments with channels enabled. Exploitation requires only a valid authenticated account with read access to a shared channel — no elevation of privilege is needed. The attack is reproducible by any user via direct HTTP calls, with the published advisory providing a complete PoC. The primary impact is high integrity loss (I:H per CVSS): message content can be modified or deleted without any audit trail reflecting the actual actor. No public exploit tooling is confirmed, but the trivial reproduction barrier means exploitation is accessible to any motivated insider or low-skilled external attacker who obtains credentials. The 57 prior CVEs in this package suggest systemic security debt that raises the overall risk posture.

How does the attack unfold?

Initial Access
Attacker authenticates to Open WebUI with a legitimate account that has been granted read access to one or more shared channels.
AML.T0012
Reconnaissance
Attacker browses the channel frontend to observe and record message IDs belonging to other users, which are exposed in API responses.
AML.T0049
Exploitation
Attacker directly calls backend update or delete API endpoints with a victim's message_id; the backend validates only channel membership, not message ownership, so the request succeeds.
AML.T0049
Impact
Victim messages are silently modified with adversarial content or deleted entirely, corrupting shared AI prompts, audit trails, and collaborative workflows with no visible attribution change.
AML.T0048.003

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.6.18 0.6.19
142.4K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
7.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A Low

What should I do?

6 steps

  1. Patch immediately: upgrade open-webui to version 0.6.19 or later — this is the only complete fix.

  2. If patching is not immediately possible, set ENABLE_CHANNELS=false in your environment configuration to disable the vulnerable feature entirely.

  3. Review API access logs for calls to /api/v1/channels/{id}/messages/{msg_id}/update and /delete endpoints where the requesting user is not the message author.

  4. Audit recent channel message history against any external backups or logs to detect unauthorized modifications prior to patching.

  5. Restrict channel read access to the minimum necessary set of users until the patch is applied.

  6. Alert on anomalous API usage patterns: authenticated users issuing POST/DELETE against message endpoints they did not author.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass API Framework AML.T0012 AML.T0048.001 AML.T0048.003 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - Access control for AI systems A.9.1 - AI data integrity A.9.2 - Access control to AI systems
NIST AI RMF
GOVERN 1.2 - Accountability structures for AI risk GOVERN-6.2 - Accountability mechanisms MANAGE 2.2 - Mechanisms to maintain AI system integrity
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2026-44569?

Open WebUI contains an Insecure Direct Object Reference vulnerability where any authenticated user with read-only channel access can silently modify or delete other users' messages by calling backend APIs directly, completely bypassing frontend ownership checks. With a CVSS score of 7.1 (High), low attack complexity, and no privileges beyond a basic account required, exploitation is trivial — a single curl command is sufficient, as demonstrated in the published advisory PoC. Organizations using Open WebUI for collaborative AI workflows face silent corruption of shared prompts, instructions, and audit trails, with no visible attribution change to alert administrators. This package has accumulated 57 CVEs, a pattern that warrants serious scrutiny; patch to version 0.6.19 immediately, or disable channels via ENABLE_CHANNELS=false as a temporary workaround.

Is CVE-2026-44569 actively exploited?

No confirmed active exploitation of CVE-2026-44569 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44569?

1. Patch immediately: upgrade open-webui to version 0.6.19 or later — this is the only complete fix. 2. If patching is not immediately possible, set ENABLE_CHANNELS=false in your environment configuration to disable the vulnerable feature entirely. 3. Review API access logs for calls to /api/v1/channels/{id}/messages/{msg_id}/update and /delete endpoints where the requesting user is not the message author. 4. Audit recent channel message history against any external backups or logs to detect unauthorized modifications prior to patching. 5. Restrict channel read access to the minimum necessary set of users until the patch is applied. 6. Alert on anomalous API usage patterns: authenticated users issuing POST/DELETE against message endpoints they did not author.

What systems are affected by CVE-2026-44569?

This vulnerability affects the following AI/ML architecture patterns: Multi-user ML UI platforms, Collaborative LLM interfaces, AI agent coordination environments, Enterprise AI deployment platforms.

What is the CVSS score for CVE-2026-44569?

CVE-2026-44569 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

Multi-user ML UI platformsCollaborative LLM interfacesAI agent coordination environmentsEnterprise AI deployment platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0048.001 Reputational Harm
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15, Article 9
ISO 42001: A.6.2, A.9.1, A.9.2
NIST AI RMF: GOVERN 1.2, GOVERN-6.2, MANAGE 2.2
OWASP LLM Top 10: LLM07, LLM09:2025

What are the technical details?

Original Advisory

### Description There's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation. While the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users' messages. The vulnerability affects both message content modification and deletion, allowing users to tamper with message integrity and audit trails in collaborative channel environments. ### Source - Sink Analysis **Source:** User-controlled `message_id` parameter in URL path **Call Chain:** 1. FastAPI route handlers `update_message_by_id()` (line 450) and `delete_message_by_id()` (line 630) in `backend/open_webui/routers/channels.py` 2. Channel-level authorization check: `has_access(user.id, type="read", access_control=channel.access_control)` at lines 457 and 637 3. Message retrieval: `Messages.get_message_by_id(message_id)` at lines 467 and 647 4. Channel ID validation: `if message.channel_id != id:` at lines 472 and 652 5. **Missing:** Message ownership validation (`message.user_id == user.id`) 6. **Sink:** `Messages.update_message_by_id(message_id, form_data)` at line 476 or `Messages.delete_message_by_id(message_id)` at line 658 - modifies any message without ownership verification ### Proof of Concept 1. Deploy Open WebUI with channels enabled (`ENABLE_CHANNELS=true`) 2. Create scenario: - User A creates a channel and grants User B read access - User A posts a message in the channel - User B observes the message_id from the frontend 3. Exploit: User B sends direct API requests bypassing frontend controls: Message Update: ```bash curl -X POST "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/update" \ -H "Authorization: Bearer {attacker_token}" \ -H "Content-Type: application/json" \ -d '{"content": "Malicious content injected by attacker"}' ``` Message Deletion: ```bash curl -X DELETE "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/delete" \ -H "Authorization: Bearer {attacker_token}" ``` 4. Result: Victim's message is modified or deleted despite User B only having read permissions ### Impact - Users can modify other users' message content within shared channels - Read-only users gain write/delete capabilities over other users' content ### Remediation Implement proper message ownership validation in the update and delete endpoints by adding ownership checks that follow the established security pattern used throughout the codebase. First, add a validation condition after the existing message retrieval to ensure only message owners or admins can modify messages: `if user.role != "admin" and message.user_id != user.id and not has_access(user.id, type="write", access_control=channel.access_control)` then raise a 403 Forbidden exception. Second, change the existing permission check from `type="read"` to `type="write"` for both update and delete operations to align with the access control model used in other routers (notes, prompts, knowledge, etc.).

Exploitation Scenario

An insider threat or attacker who has obtained credentials for a read-only account on an enterprise Open WebUI deployment browses a shared team channel and captures message IDs from the frontend. They then issue direct HTTP DELETE requests to erase safety policy messages posted by administrators, and POST update requests to silently replace trusted team members' LLM prompts with adversarial instructions. Because the backend validates only channel membership — not message ownership — every request succeeds. The modified messages appear authentic in the UI with no attribution change, and the audit trail reflects the original authors, making forensic investigation extremely difficult. Over time, corrupted shared prompts propagate malicious behavior into dependent AI workflows.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

References

Timeline

Published
May 11, 2026
Last Modified
May 11, 2026
First Seen
May 11, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed