Open WebUI Pin/Unpin API Endpoint Improper Permission Vulnerability

A vulnerability exists in the Pin/Unpin feature of Open WebUI, an offline AI platform, in versions prior to 0.9.5. The issue arises because the Pin/Unpin operation, which modifies message fields to indicate pin status, only verifies read permissions in standard channels. This flaw allows users with read-only access to pin or unpin any message, disrupting the flow of important information in the channel. The vulnerability is present in the pin_channel_message API endpoint.

Impact

This vulnerability allows read-only users to pin or unpin messages, potentially disrupting the visibility of important information in the channel.

Reproduction

To reproduce this vulnerability, an admin user can create a standard channel and grant read-only access to a test user. After the test user is assigned read-only permissions, they can pin or unpin messages in the channel, despite lacking the appropriate rights to perform such actions.

Remediation

Users are advised to update to Open WebUI version 0.9.5 or later, where this vulnerability has been fixed.