mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 14:39:31 -05:00
[PR #23639] [MERGED] fix: enforce OAUTH_ALLOWED_DOMAINS on token exchange endpoint #50344
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/23639
Author: @Classic298
Created: 4/12/2026
Status: ✅ Merged
Merged: 4/12/2026
Merged by: @tjbck
Base:
dev← Head:fix/oauth-token-exchange-domain-bypass📝 Commits (1)
ed22119fix: enforce OAUTH_ALLOWED_DOMAINS on token exchange endpoint📊 Changes
1 file changed (+12 additions, -0 deletions)
View changed files
📝
backend/open_webui/routers/auths.py(+12 -0)📄 Description
The OAuth token exchange endpoint skipped the domain allowlist check that the normal OAuth callback enforces. An attacker with a valid OAuth token from a non-allowed domain (e.g. gmail.com) could bypass the admin's domain restriction policy entirely.
Adds the same domain validation check used in the OAuth callback, denying access when the email domain is not in the allowed list.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.