Onyx Chat Session Interruption Vulnerability Allowing Users to Stop Others' LLM Generations

A vulnerability in Onyx, an open-source AI platform, allows authenticated users to disrupt active chat sessions of other users. This issue is present in versions prior to 3.0.9, between 3.1.0 and 3.1.6, and between 3.2.0 and 3.2.6. The vulnerability arises because the POST /chat/stop-chat-session/{chat_session_id} endpoint, while checking authentication, fails to verify if the session belongs to the user making the request. As a result, an attacker with knowledge of a chat session UUID can terminate another user's LLM generation in progress.

Impact

Exploitation of this vulnerability allows any authenticated user to interrupt another user's active chat sessions by providing the session UUID. This can be done repeatedly, preventing the targeted user from receiving LLM responses. The interruption occurs mid-stream, causing the user to lose any partial output.

Reproduction

To reproduce this vulnerability, first register two users and log in to each account. User 1 (the victim) should create a chat session and send a message, while User 2 (the attacker) can then use the POST /chat/stop-chat-session/{chat_session_id} endpoint to stop User 1's session. The request must include the chat session ID of the victim and be sent with the attacker's authentication cookie.

Remediation

Users can update to Onyx versions 3.0.9, 3.1.6, or 3.2.6, where this vulnerability has been patched.