Open-Webui (<= 0.6.18) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/open-webui--0.6.18/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 11 May 2026 14:08:25 +0000Open WebUI Insecure Direct Object Reference in Channel Messageshttps://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/Mon, 11 May 2026 14:08:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/Open WebUI versions 0.6.18 and earlier are vulnerable to an insecure direct object reference (IDOR) in the channels message management system; authenticated users with read access to a channel can modify or delete any message within that channel due to missing message ownership validation in the message update and delete endpoints.Open WebUI versions 0.6.18 and earlier contain an Insecure Direct Object Reference (IDOR) vulnerability within the channel message management system. This flaw allows authenticated users with read access to a channel to modify or delete messages created by other users within the same channel. The vulnerability stems from the absence of message ownership validation in the backend API endpoints responsible for updating and deleting messages. While the frontend implements client-side checks to restrict message editing and deletion to owners or administrators, these controls can be bypassed by directly interacting with the backend APIs, allowing unauthorized message tampering and deletion. This poses a risk to message integrity and auditability within collaborative channel environments. The issue was reported on May 11, 2026.

Attack Chain

  1. Attacker authenticates to the Open WebUI application.
  2. Attacker gains read access to a channel.
  3. Victim creates a message within the channel.
  4. Attacker observes the message_id of the victim’s message, either through the frontend or by intercepting API requests.
  5. Attacker crafts a malicious API request to either update the message content or delete the message, using the victim’s message_id and the channel’s ID.
  6. Attacker sends the crafted API request to the /api/v1/channels/{channel_id}/messages/{victim_message_id}/update or /api/v1/channels/{channel_id}/messages/{victim_message_id}/delete endpoint, bypassing frontend controls.
  7. The backend API validates the attacker’s channel access (read permission) but fails to verify message ownership.
  8. The victim’s message is modified or deleted, leading to data manipulation or denial of service.

Impact

Successful exploitation of this IDOR vulnerability enables unauthorized modification and deletion of messages within Open WebUI channels. Users with only read access can gain write/delete capabilities over other users’ content, potentially leading to the alteration of critical information, disruption of communication, and undermining the integrity of audit trails. This vulnerability affects Open WebUI instances with channels enabled, potentially impacting any collaborative environments relying on message integrity.

Recommendation

  • Deploy the Sigma rule “Detect Open WebUI Message Modification via IDOR” to identify potential exploitation attempts by monitoring POST requests to the message update endpoint (/api/v1/channels/{channel_id}/messages/{victim_message_id}/update) and DELETE requests to the message delete endpoint (/api/v1/channels/{channel_id}/messages/{victim_message_id}/delete) in the webserver logs.
  • Apply the remediation steps recommended by the vendor, which includes implementing proper message ownership validation in the update and delete endpoints to prevent unauthorized message modification and deletion.
  • Upgrade Open WebUI to a version later than 0.6.18 to patch CVE-2026-44569.
]]>highadvisoryidorprivilege-escalationdefense-evasioncloud