CVE-2026-45385: Open WebUI: IDOR lets members tamper with admin messages
GHSA-wwhq-cx22-f7vv MEDIUM PoC AVAILABLE CISA: TRACK*CVE-2026-45385 is an Insecure Direct Object Reference flaw in Open WebUI's group and DM channel messaging — any authenticated channel member can silently overwrite messages sent by other members, including administrators, by calling the message update API with a different user's message ID. The vulnerability is trivially exploitable (low complexity, low privilege, no user interaction required) with a single crafted API call, though exposure is bounded to deployments where the Channels feature has been manually enabled in the admin interface since it ships disabled by default. With 91 prior CVEs recorded against this package, organizations running Open WebUI in enterprise or multi-user AI workspace settings should treat this as a trust-integrity risk: tampered admin messages can silently propagate false AI usage policies or governance directives to other team members without leaving obvious traces. Patch to open-webui v0.9.5 immediately, or disable the Channels feature via the admin panel as an interim workaround.
What is the risk?
CVSS 4.3 (Medium) underestimates the real-world integrity risk in AI governance contexts. Exploitation is trivial — a single authenticated API call with no special skills required — and difficult to detect without message-level audit logging. Blast radius is bounded by the requirement for Channels to be enabled and the attacker to hold valid channel membership, making this primarily an insider threat or compromised-account scenario. No public exploit exists and the CVE is not in CISA KEV, reducing near-term mass exploitation likelihood. However, the 91-CVE history of this package signals persistent security debt and warrants architectural review for any enterprise Open WebUI deployment.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | < 0.9.5 | 0.9.5 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
4 steps-
Patch: Upgrade open-webui to v0.9.5 or later — the fix adds message ownership verification to the group/dm branch of the update_message_by_id handler in channels.py.
-
Workaround: Disable the Channels feature via Admin Panel → Features → Channels (confirm this setting is off in your deployment; it ships disabled by default).
-
Detection: Audit API access logs for POST requests to /api/v1/channels/*/messages/*/update where the authenticated user ID differs from the original message author ID; enable message edit history logging if supported.
-
Least privilege: Restrict channel membership to trusted users until the patch is applied and verified.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45385?
CVE-2026-45385 is an Insecure Direct Object Reference flaw in Open WebUI's group and DM channel messaging — any authenticated channel member can silently overwrite messages sent by other members, including administrators, by calling the message update API with a different user's message ID. The vulnerability is trivially exploitable (low complexity, low privilege, no user interaction required) with a single crafted API call, though exposure is bounded to deployments where the Channels feature has been manually enabled in the admin interface since it ships disabled by default. With 91 prior CVEs recorded against this package, organizations running Open WebUI in enterprise or multi-user AI workspace settings should treat this as a trust-integrity risk: tampered admin messages can silently propagate false AI usage policies or governance directives to other team members without leaving obvious traces. Patch to open-webui v0.9.5 immediately, or disable the Channels feature via the admin panel as an interim workaround.
Is CVE-2026-45385 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-45385, increasing the risk of exploitation.
How to fix CVE-2026-45385?
1. Patch: Upgrade open-webui to v0.9.5 or later — the fix adds message ownership verification to the group/dm branch of the update_message_by_id handler in channels.py. 2. Workaround: Disable the Channels feature via Admin Panel → Features → Channels (confirm this setting is off in your deployment; it ships disabled by default). 3. Detection: Audit API access logs for POST requests to /api/v1/channels/*/messages/*/update where the authenticated user ID differs from the original message author ID; enable message edit history logging if supported. 4. Least privilege: Restrict channel membership to trusted users until the patch is applied and verified.
What systems are affected by CVE-2026-45385?
This vulnerability affects the following AI/ML architecture patterns: Multi-user LLM interface deployments, Collaborative AI workspaces, Enterprise LLM governance platforms.
What is the CVSS score for CVE-2026-45385?
CVE-2026-45385 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.20%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0048.001 Reputational Harm AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary An IDOR vulnerability exists in the Channels feature of `Open WebUI`, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (`v0.8.12`) of `Open WebUI`. ### Details In the `update_message_by_id` function, for `group` or `dm` type channels, only the caller's membership in the channel is checked via the `is_user_channel_member` function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows [(https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355)](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) : ```python if channel.type in ['group', 'dm']: if not Channels.is_user_channel_member(channel.id, user.id, db=db): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) else: if ( user.role != 'admin' and message.user_id != user.id and not channel_has_access(user.id, channel, permission='write', strict=False, db=db) ): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()) try: message = Messages.update_message_by_id(message_id, form_data, db=db) ``` Non-group/dm types include a check for the user ID, while the `group/dm` type clearly lacks this verification. ### PoC The `Channels` feature is disabled by default and can be enabled first through the `admin` interface. <img width="1024" height="618" alt="image" src="https://github.com/user-attachments/assets/a36502e9-c6cd-41cd-a69c-8b6ac809768f" /> Create a `group` type channel with members including users `test1` and `test2`. ``` POST /api/v1/channels/create HTTP/1.1 Content-Type: application/json { "name": "idor-test-group", "type": "group", "user_ids": [ "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c", "b9997496-ff80-4c30-a366-95474f85e62b" ] } ``` User `test2` sends a message in the channel. ``` POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1 Content-Type: application/json Authorization: Bearer <test2_token> {"content":"This is test2 secret message"} ``` User `test1` can directly modify the message that `test2` just sent. ``` POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1 Content-Type: application/json Authorization: Bearer <test1_token> {"content":"HACKED BY TEST1 - message tampered!"} ``` <img width="1024" height="216" alt="image" src="https://github.com/user-attachments/assets/77646d01-d501-4732-ac37-3ffb69f9f01f" /> Messages sent by administrators can also be modified. <img width="1024" height="419" alt="image" src="https://github.com/user-attachments/assets/b32dc5eb-f810-41d3-b358-f000d8331761" /> ### Impact Malicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information. ### Suggested Fix Add a message ownership check in the `group/dm` branch of `channels.py`.
Exploitation Scenario
A malicious insider with a standard user account joins a group channel used by an AI governance team in an enterprise Open WebUI deployment. The attacker observes an admin posting a message approving specific LLM models for production use. The attacker records the message ID from the channel response and crafts a POST to /api/v1/channels/{channel_id}/messages/{message_id}/update with their own bearer token and modified content. Because the authorization code only checks channel membership — not message authorship — the request succeeds silently. The admin's approval message is replaced with attacker-controlled content; team members act on the falsified directive, and without message audit trails, the tampering goes undetected until manual review.
Weaknesses (CWE)
CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
- [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
- [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui