GHSA-c7wp-3qh5-55pv

Source

https://github.com/advisories/GHSA-c7wp-3qh5-55pv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c7wp-3qh5-55pv/GHSA-c7wp-3qh5-55pv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c7wp-3qh5-55pv

Aliases

CVE-2026-44559

Published

2026-05-08T19:51:48Z

Modified

2026-05-16T00:06:23.538724Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels

Details

Missing Access Check on Channel Members Endpoint for Standard Channels

Affected Component

Channel members listing endpoint: - backend/open_webui/routers/channels.py (lines 445-507, get_channel_members_by_id)

Affected Versions

Current main branch and likely all versions with the channels feature.

Description

The GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels — including private ones — there is no channel_has_access check before returning the member list. Any authenticated user who knows a private channel's UUID can enumerate all users with access to that channel.

# Line 467-469: only group/dm channels are checked
if channel.type in ['group', 'dm']:
    if not Channels.is_user_channel_member(channel.id, user.id, db=db):
        raise HTTPException(...)
# Standard channels fall through with NO access check

Compare with other channel endpoints (e.g., get_channel_messages at line 688) which correctly call channel_has_access(user.id, channel, permission='read') for standard channels.

CVSS 3.1 Breakdown

| Metric | Value | Rationale | |--------|-------|-----------| | Attack Vector | Network (N) | Exploited remotely via API call | | Attack Complexity | Low (L) | Single API call, no special conditions | | Privileges Required | Low (L) | Requires a valid user account | | User Interaction | None (N) | No victim interaction required | | Scope | Unchanged (U) | Impact is within the channel authorization boundary | | Confidentiality | Low (L) | Leaks user identities and details for a private channel | | Integrity | None (N) | No data modification | | Availability | None (N) | No denial of service |

Attack Scenario

Attacker obtains a private standard channel's UUID (via logs, browser history, URL observation, or other API responses).
Attacker calls GET /api/v1/channels/{id}/members.
The server returns the full list of permitted users including their IDs, names, emails, roles, and profile images.
The attacker has no access to the channel's messages (those endpoints check access correctly), but now knows exactly who does.

Impact

Leaks the identity and personal details of every user with access to a private channel
Reveals organizational structure and project assignments
Enables targeted social engineering against channel members

Preconditions

Channels feature must be enabled (disabled by default)
Attacker must know the channel UUID (not guessable, but obtainable through indirect means)

Database specific

{
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:51:48Z",
    "nvd_published_at": "2026-05-15T20:16:47Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / open-webui

Package

Name: open-webui; View open source insights on deps.dev
Purl: pkg:pypi/open-webui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.0

Affected versions

0.*

0.1.124

0.1.125

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.12

0.3.13

0.3.14

0.3.15

0.3.16

0.3.17.dev2

0.3.17.dev3

0.3.17.dev4

0.3.17.dev5

0.3.17

0.3.18

0.3.19

0.3.20

0.3.21

0.3.22

0.3.23

0.3.24

0.3.25

0.3.26

0.3.27.dev1

0.3.27.dev2

0.3.27.dev3

0.3.27

0.3.28

0.3.29

0.3.30.dev1

0.3.30.dev2

0.3.30

0.3.31.dev1

0.3.31

0.3.32

0.3.33.dev1

0.3.33

0.3.34

0.3.35

0.4.0.dev1

0.4.0.dev2

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6.dev1

0.4.6

0.4.7

0.4.8

0.5.0.dev1

0.5.0.dev2

0.5.0

0.5.1

0.5.2

0.5.3.dev1

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.5.13

0.5.14

0.5.15

0.5.16

0.5.17

0.5.18

0.5.19

0.5.20

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6.dev1

0.6.6

0.6.7

0.6.8

0.6.9

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.15

0.6.16

0.6.18

0.6.19

0.6.20

0.6.21

0.6.22

0.6.23

0.6.24

0.6.25

0.6.26.dev1

0.6.26

0.6.27

0.6.28

0.6.29

0.6.30

0.6.31

0.6.32

0.6.33

0.6.34

0.6.35

0.6.36

0.6.37

0.6.38

0.6.39

0.6.40

0.6.41

0.6.42

0.6.43

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

0.8.11

0.8.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c7wp-3qh5-55pv/GHSA-c7wp-3qh5-55pv.json"

last_known_affected_version_range

"<= 0.8.12"