CVE-2026-44561: Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

The is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with is_active=False and status='left'. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls.

The channel correctly disappears from the deactivated user’s channel list (the listing query at get_channels_by_user_id properly filters on is_active), but all 15 message-level endpoints in the router rely on is_user_channel_member for authorization, which does not filter on is_active.