[PR #24725] fix: gate chat_completion channel: branch on channel access + message scoping #115113

Open
opened 2026-05-18 16:04:10 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24725
Author: @Classic298
Created: 5/14/2026
Status: 🔄 Open

Base: devHead: fix/channel-chat-id-membership-and-message-scoping


📝 Commits (2)

  • 30bd3cc fix: gate chat_completion channel: branch on channel access + message scoping
  • 6f27df8 chore: trim verbose comment on channel: branch gate

📊 Changes

1 file changed (+41 additions, -0 deletions)

View changed files

📝 backend/open_webui/main.py (+41 -0)

📄 Description

When chat_id starts with 'channel:' the chat-completion handler skips the chat ownership / storage block below it. Nothing replaced that gate. The downstream channel emitter in socket/main.py:make_channel emitter writes to Messages.update_message_by_id using a caller-supplied message_id pulled from form_data['id'], with no membership check, no write-access check, and no validation that the message_id belongs to the channel.

Net effect: any authenticated user could submit
chat_id='channel:' + id='' and overwrite that message with attacker-controlled LLM output. Cross- channel writes worked too — private channels, DMs, channels the caller has no access to. Original author attribution stayed intact on the overwritten row.

Add the missing checks at the channel: branch:

  1. Channel must exist (404 otherwise).
  2. Non-admin caller must have write access to the channel — membership for group/dm channels, AccessGrants permission='write' for others.
  3. The message_id (if supplied) must belong to the same channel — a caller with write access to channel A cannot use this path to overwrite a message in channel B.

Behaviour change is limited to callers who were exploiting the gap: legitimate flows that supply a message_id under their own channel membership continue to work unchanged.

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24725 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 5/14/2026 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `fix/channel-chat-id-membership-and-message-scoping` --- ### 📝 Commits (2) - [`30bd3cc`](https://github.com/open-webui/open-webui/commit/30bd3cc2180f63fa44393bb42e58cfc172d7b481) fix: gate chat_completion channel: branch on channel access + message scoping - [`6f27df8`](https://github.com/open-webui/open-webui/commit/6f27df88d58ac7649d1f484b5de0db440a72e4a0) chore: trim verbose comment on channel: branch gate ### 📊 Changes **1 file changed** (+41 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/main.py` (+41 -0) </details> ### 📄 Description When chat_id starts with 'channel:' the chat-completion handler skips the chat ownership / storage block below it. Nothing replaced that gate. The downstream channel emitter in socket/main.py:_make_channel_ emitter writes to Messages.update_message_by_id using a caller-supplied message_id pulled from form_data['id'], with no membership check, no write-access check, and no validation that the message_id belongs to the channel. Net effect: any authenticated user could submit chat_id='channel:<any-channel-uuid>' + id='<any-message-uuid>' and overwrite that message with attacker-controlled LLM output. Cross- channel writes worked too — private channels, DMs, channels the caller has no access to. Original author attribution stayed intact on the overwritten row. Add the missing checks at the channel: branch: 1. Channel must exist (404 otherwise). 2. Non-admin caller must have write access to the channel — membership for group/dm channels, AccessGrants permission='write' for others. 3. The message_id (if supplied) must belong to the same channel — a caller with write access to channel A cannot use this path to overwrite a message in channel B. Behaviour change is limited to callers who were exploiting the gap: legitimate flows that supply a message_id under their own channel membership continue to work unchanged. ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 16:04:10 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#115113