Open WebUI IDOR Vulnerability in Channels Feature Allowing Message Tampering

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Channels feature of Open WebUI, prior to version 0.9.5. This vulnerability allows any channel member to modify messages sent by other members, including administrators, within the same channel. The issue arises in the update_message_by_id function, where only the caller's membership in the channel is verified for group or direct message channels, without checking message ownership. As a result, channel members can arbitrarily alter messages from others.

Impact

Exploitation of this vulnerability allows users to tamper with messages from other channel members, including those from administrators, potentially leading to the spread of false information.

Reproduction

To reproduce this vulnerability, create a group channel and add two users, 'test1' and 'test2'. Have 'test2' send a message in the channel. Then, 'test1' can modify 'test2's message using the update_message_by_id API endpoint, bypassing message ownership checks.

Remediation

Users can update to Open WebUI version 0.9.5 or later, where this vulnerability has been fixed.