GHSA-jxwr-g6r6-j3fx

Description

There's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation.

While the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users' messages.

The vulnerability affects both message content modification and deletion, allowing users to tamper with message integrity and audit trails in collaborative channel environments.

Source - Sink Analysis

Source: User-controlled message_id parameter in URL path

Call Chain: 1. FastAPI route handlers update_message_by_id() (line 450) and delete_message_by_id() (line 630) in backend/open_webui/routers/channels.py 2. Channel-level authorization check: has_access(user.id, type="read", access_control=channel.access_control) at lines 457 and 637 3. Message retrieval: Messages.get_message_by_id(message_id) at lines 467 and 647
4. Channel ID validation: if message.channel_id != id: at lines 472 and 652 5. Missing: Message ownership validation (message.user_id == user.id) 6. Sink: Messages.update_message_by_id(message_id, form_data) at line 476 or Messages.delete_message_by_id(message_id) at line 658 - modifies any message without ownership verification

Proof of Concept

1. Deploy Open WebUI with channels enabled (ENABLE_CHANNELS=true)
2. Create scenario:
   • User A creates a channel and grants User B read access
   • User A posts a message in the channel
   • User B observes the message_id from the frontend
3. Exploit: User B sends direct API requests bypassing frontend controls:

Message Update:

curl -X POST "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/update" \
     -H "Authorization: Bearer {attacker_token}" \
     -H "Content-Type: application/json" \
     -d '{"content": "Malicious content injected by attacker"}'

Message Deletion:

curl -X DELETE "http://localhost:8080/api/v1/channels/{channel_id}/messages/{victim_message_id}/delete" \
     -H "Authorization: Bearer {attacker_token}"

4. Result: Victim's message is modified or deleted despite User B only having read permissions

Impact

• Users can modify other users' message content within shared channels
• Read-only users gain write/delete capabilities over other users' content

Remediation

Implement proper message ownership validation in the update and delete endpoints by adding ownership checks that follow the established security pattern used throughout the codebase. First, add a validation condition after the existing message retrieval to ensure only message owners or admins can modify messages: if user.role != "admin" and message.user_id != user.id and not has_access(user.id, type="write", access_control=channel.access_control) then raise a 403 Forbidden exception. Second, change the existing permission check from type="read" to type="write" for both update and delete operations to align with the access control model used in other routers (notes, prompts, knowledge, etc.).