CVE-2026-45385: Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint

May 14, 2026 (updated May 15, 2026)

An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (v0.8.12) of Open WebUI.

References

github.com/advisories/GHSA-wwhq-cx22-f7vv
github.com/open-webui/open-webui/releases/tag/v0.9.5
github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv
nvd.nist.gov/vuln/detail/CVE-2026-45385

Code Behaviors & Features

Detect and mitigate CVE-2026-45385 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →