CVE-2026-44559

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0

Description An issue exists in the 'GET /api/v1/channels/{id}/members' endpoint where membership checks are only performed for group and dm channel types. For standard channels, including private ones, the system fails to perform a channel has access check before returning the member list. This allows any authenticated user who possesses a private channel's id (UUID) to enumerate all users with access to that channel, potentially leaking user identities, names, emails, roles, and profile images.

Recommendations Update to version 0.9.0.