Product
Open WebUI versions 0.6.18 and earlier are vulnerable to an insecure direct object reference (IDOR) in the channels message management system; authenticated users with read access to a channel can modify or delete any message within that channel due to missing message ownership validation in the message update and delete endpoints.