CVE-2026-45385: Open WebUI: IDOR lets members tamper with admin messages

GHSA-wwhq-cx22-f7vv MEDIUM PoC AVAILABLE CISA: TRACK*
Published May 14, 2026
CISO Take

CVE-2026-45385 is an Insecure Direct Object Reference flaw in Open WebUI's group and DM channel messaging — any authenticated channel member can silently overwrite messages sent by other members, including administrators, by calling the message update API with a different user's message ID. The vulnerability is trivially exploitable (low complexity, low privilege, no user interaction required) with a single crafted API call, though exposure is bounded to deployments where the Channels feature has been manually enabled in the admin interface since it ships disabled by default. With 91 prior CVEs recorded against this package, organizations running Open WebUI in enterprise or multi-user AI workspace settings should treat this as a trust-integrity risk: tampered admin messages can silently propagate false AI usage policies or governance directives to other team members without leaving obvious traces. Patch to open-webui v0.9.5 immediately, or disable the Channels feature via the admin panel as an interim workaround.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 4.3 (Medium) underestimates the real-world integrity risk in AI governance contexts. Exploitation is trivial — a single authenticated API call with no special skills required — and difficult to detect without message-level audit logging. Blast radius is bounded by the requirement for Channels to be enabled and the attacker to hold valid channel membership, making this primarily an insider threat or compromised-account scenario. No public exploit exists and the CVE is not in CISA KEV, reducing near-term mass exploitation likelihood. However, the 91-CVE history of this package signals persistent security debt and warrants architectural review for any enterprise Open WebUI deployment.

How does the attack unfold?

Initial Access
Attacker authenticates with valid credentials and joins, or is already a member of, a group or DM channel in the target Open WebUI deployment.
AML.T0012
Exploitation
Attacker identifies a target message ID (observable from channel response data) and sends a crafted POST to the message update endpoint; the missing ownership check allows the request to succeed regardless of authorship.
AML.T0049
Impact
Admin or peer messages are silently overwritten with attacker-controlled content, enabling disinformation propagation, AI policy manipulation, or trust erosion across the governance team without alerting the original author.
AML.T0048.001

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip < 0.9.5 0.9.5
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

4 steps
  1. Patch: Upgrade open-webui to v0.9.5 or later — the fix adds message ownership verification to the group/dm branch of the update_message_by_id handler in channels.py.

  2. Workaround: Disable the Channels feature via Admin Panel → Features → Channels (confirm this setting is off in your deployment; it ships disabled by default).

  3. Detection: Audit API access logs for POST requests to /api/v1/channels/*/messages/*/update where the authenticated user ID differs from the original message author ID; enable message edit history logging if supported.

  4. Least privilege: Restrict channel membership to trusted users until the patch is applied and verified.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI System Access Control
NIST AI RMF
MANAGE 2.2 - Mechanisms to Sustain Oversight
OWASP LLM Top 10
LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2026-45385?

CVE-2026-45385 is an Insecure Direct Object Reference flaw in Open WebUI's group and DM channel messaging — any authenticated channel member can silently overwrite messages sent by other members, including administrators, by calling the message update API with a different user's message ID. The vulnerability is trivially exploitable (low complexity, low privilege, no user interaction required) with a single crafted API call, though exposure is bounded to deployments where the Channels feature has been manually enabled in the admin interface since it ships disabled by default. With 91 prior CVEs recorded against this package, organizations running Open WebUI in enterprise or multi-user AI workspace settings should treat this as a trust-integrity risk: tampered admin messages can silently propagate false AI usage policies or governance directives to other team members without leaving obvious traces. Patch to open-webui v0.9.5 immediately, or disable the Channels feature via the admin panel as an interim workaround.

Is CVE-2026-45385 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-45385, increasing the risk of exploitation.

How to fix CVE-2026-45385?

1. Patch: Upgrade open-webui to v0.9.5 or later — the fix adds message ownership verification to the group/dm branch of the update_message_by_id handler in channels.py. 2. Workaround: Disable the Channels feature via Admin Panel → Features → Channels (confirm this setting is off in your deployment; it ships disabled by default). 3. Detection: Audit API access logs for POST requests to /api/v1/channels/*/messages/*/update where the authenticated user ID differs from the original message author ID; enable message edit history logging if supported. 4. Least privilege: Restrict channel membership to trusted users until the patch is applied and verified.

What systems are affected by CVE-2026-45385?

This vulnerability affects the following AI/ML architecture patterns: Multi-user LLM interface deployments, Collaborative AI workspaces, Enterprise LLM governance platforms.

What is the CVSS score for CVE-2026-45385?

CVE-2026-45385 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

Multi-user LLM interface deploymentsCollaborative AI workspacesEnterprise LLM governance platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0048.001 Reputational Harm
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM09:2025

What are the technical details?

Original Advisory

### Summary An IDOR vulnerability exists in the Channels feature of `Open WebUI`, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (`v0.8.12`) of `Open WebUI`. ### Details In the `update_message_by_id` function, for `group` or `dm` type channels, only the caller's membership in the channel is checked via the `is_user_channel_member` function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows [(https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355)](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) : ```python if channel.type in ['group', 'dm']: if not Channels.is_user_channel_member(channel.id, user.id, db=db): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) else: if ( user.role != 'admin' and message.user_id != user.id and not channel_has_access(user.id, channel, permission='write', strict=False, db=db) ): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) try: message = Messages.update_message_by_id(message_id, form_data, db=db) ``` Non-group/dm types include a check for the user ID, while the `group/dm` type clearly lacks this verification. ### PoC The `Channels` feature is disabled by default and can be enabled first through the `admin` interface. <img width="1024" height="618" alt="image" src="https://github.com/user-attachments/assets/a36502e9-c6cd-41cd-a69c-8b6ac809768f" /> Create a `group` type channel with members including users `test1` and `test2`. ``` POST /api/v1/channels/create HTTP/1.1 Content-Type: application/json { "name": "idor-test-group", "type": "group", "user_ids": [ "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c", "b9997496-ff80-4c30-a366-95474f85e62b" ] } ``` User `test2` sends a message in the channel. ``` POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1 Content-Type: application/json Authorization: Bearer <test2_token> {"content":"This is test2 secret message"} ``` User `test1` can directly modify the message that `test2` just sent. ``` POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1 Content-Type: application/json Authorization: Bearer <test1_token> {"content":"HACKED BY TEST1 - message tampered!"} ``` <img width="1024" height="216" alt="image" src="https://github.com/user-attachments/assets/77646d01-d501-4732-ac37-3ffb69f9f01f" /> Messages sent by administrators can also be modified. <img width="1024" height="419" alt="image" src="https://github.com/user-attachments/assets/b32dc5eb-f810-41d3-b358-f000d8331761" /> ### Impact Malicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information. ### Suggested Fix Add a message ownership check in the `group/dm` branch of `channels.py`.

Exploitation Scenario

A malicious insider with a standard user account joins a group channel used by an AI governance team in an enterprise Open WebUI deployment. The attacker observes an admin posting a message approving specific LLM models for production use. The attacker records the message ID from the channel response and crafts a POST to /api/v1/channels/{channel_id}/messages/{message_id}/update with their own bearer token and modified content. Because the authorization code only checks channel membership — not message authorship — the request succeeds silently. The admin's approval message is replaced with attacker-controlled content; team members act on the falsified directive, and without message audit trails, the tampering goes undetected until manual review.

Weaknesses (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities