mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:03:05 -05:00
[PR #24725] fix: gate chat_completion channel: branch on channel access + message scoping #98841
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24725
Author: @Classic298
Created: 5/14/2026
Status: 🔄 Open
Base:
dev← Head:fix/channel-chat-id-membership-and-message-scoping📝 Commits (2)
30bd3ccfix: gate chat_completion channel: branch on channel access + message scoping6f27df8chore: trim verbose comment on channel: branch gate📊 Changes
1 file changed (+41 additions, -0 deletions)
View changed files
📝
backend/open_webui/main.py(+41 -0)📄 Description
When chat_id starts with 'channel:' the chat-completion handler skips the chat ownership / storage block below it. Nothing replaced that gate. The downstream channel emitter in socket/main.py:make_channel emitter writes to Messages.update_message_by_id using a caller-supplied message_id pulled from form_data['id'], with no membership check, no write-access check, and no validation that the message_id belongs to the channel.
Net effect: any authenticated user could submit
chat_id='channel:' + id='' and overwrite that message with attacker-controlled LLM output. Cross- channel writes worked too — private channels, DMs, channels the caller has no access to. Original author attribution stayed intact on the overwritten row.
Add the missing checks at the channel: branch:
Behaviour change is limited to callers who were exploiting the gap: legitimate flows that supply a message_id under their own channel membership continue to work unchanged.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.