CVE-2026-45385

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5

Description An Insecure Direct Object Reference (IDOR) exists in the Channels feature, which allows any member of a channel to modify messages sent by other members, including administrators. In the update message by id() function, for channels of type group or dm, the system only verifies the caller's membership via the is user channel member() function and fails to verify if the user actually owns the message they are attempting to modify.

Recommendations Update to version 0.9.5. As a temporary workaround, consider disabling the Channels feature through the admin interface.