CVE-2026-44571

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6

Description In standard channels (where channel.type is neither group nor dm), the endpoint "POST /api/v1/channels/{channel id}/messages/{message id}/update" can be accessed with read permission only. When access control is set to None, the authorization check has access(..., type="read") evaluates to True, allowing authenticated users who are not the message owner to update messages. This leads to the unauthorized modification of other users' messages.

Recommendations Update to version 0.8.6.