Channel creation and update endpoints:
- backend/open_webui/routers/channels.py (lines 291-340, create_new_channel)
- backend/open_webui/routers/channels.py (lines 617-638, update_channel_by_id)
- backend/open_webui/models/channels.py (lines 825-826, set_access_grants call without filtering)
Current main branch (commit 6fdd19bf1) and likely all versions supporting user-created group channels with access grants.
All resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call filter_allowed_access_grants() before persisting access grants. This function strips principal_id: "*" wildcard grants from users who lack the relevant sharing.public_* permission, and strips individual user grants from users who lack access_grants.allow_users permission.
The channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework.
# channels.py — access_grants from form data flow directly into persistence
# No call to filter_allowed_access_grants() anywhere in these paths.
# Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py,
# all of which do:
# form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants)
# before creating or updating.
sharing.public_channels — public sharing of channels is intended to be admin-only.POST /api/v1/channels/
{
"name": "public-channel",
"type": "group",
"access_control": {
"access_grants": [
{"principal_type": "user", "principal_id": "*", "permission": "read"}
]
}
}
set_access_grants is called directly without filter_allowed_access_grants — the wildcard grant is persisted.The same attack works via POST /api/v1/channels/{id}/update for any channel the attacker owns.
sharing.public_channels permission and make channels publicly accessibleaccess_grants.allow_users to grant individual-user access in environments where only group-based sharing is intended