Open WebUI Improper Authorization Vulnerability Allows Unauthorized Message Updates in Standard Channels

A vulnerability exists in Open WebUI versions prior to 0.8.6, allowing unauthorized users to modify messages in standard channels. The issue arises because the message update endpoint can be accessed with only read permissions. When access control is disabled, the authorization check incorrectly permits users who are not the message owners to update messages, leading to unauthorized modifications.

Impact

Exploitation of this vulnerability allows for unauthorized changes to messages, violating data integrity by enabling users to alter or manipulate the content of others' messages without permission.

Reproduction

To reproduce this vulnerability, log in as an authenticated user (User B) and ensure that the target channel is a standard channel (not a group or direct message). Access a message authored by another user (User A) and obtain its message ID. Then, send a request to the message update endpoint using the retrieved message ID. The message will be successfully updated, demonstrating the unauthorized modification capability.

Remediation

Users are advised to update Open WebUI to version 0.8.6 or later, where this vulnerability has been fixed.