What is GHSA-7rjh-px4v-5w55?

GHSA-7rjh-px4v-5w55 is a security advisory published by GitHub Security Advisories with Medium severity. Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants

Which CVE IDs does GHSA-7rjh-px4v-5w55 cover?

GHSA-7rjh-px4v-5w55 covers the following CVE IDs: CVE-2026-44558. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-7rjh-px4v-5w55?

GHSA-7rjh-px4v-5w55 has a CVSS v3 base score of 5.4, published by GitHub Security Advisories.

Which products are affected by GHSA-7rjh-px4v-5w55?

GHSA-7rjh-px4v-5w55 affects 1 product, including: pip/open-webui:\u003c= 0.8.12.

GHSA-7rjh-px4v-5w55MediumCVSS 5.4

Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants

Vendor

GitHub Security Advisories

Published

May 8, 2026

Last Modified

May 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-44558 →

📋 Description

Channel Access Grants Bypass filter_allowed_access_grants

Affected Component

Channel creation and update endpoints:

backend/open_webui/routers/channels.py (lines 291-340, create_new_channel)
backend/open_webui/routers/channels.py (lines 617-638, update_channel_by_id)
backend/open_webui/models/channels.py (lines 825-826, set_access_grants call without filtering)

Affected Versions

Current main branch (commit 6fdd19bf1) and likely all versions supporting user-created group channels with access grants.

Description

All resource routers in Open WebUI (knowledge, models, notes, prompts, tools, skills) call filter_allowed_access_grants() before persisting access grants. This function strips principal_id: "*" wildcard grants from users who lack the relevant sharing.public_* permission, and strips individual user grants from users who lack access_grants.allow_users permission.

The channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitrary access grants — including public wildcard grants — and those grants are stored verbatim, bypassing the admin's permission framework.

# channels.py — access_grants from form data flow directly into persistence
# No call to filter_allowed_access_grants() anywhere in these paths.

# Compare with knowledge.py / models.py / notes.py / prompts.py / tools.py / skills.py,
# all of which do:
#     form_data.access_grants = filter_allowed_access_grants(user, form_data.access_grants)
# before creating or updating.

Attack Scenario

Admin configures permissions so that regular users do NOT have sharing.public_channels — public sharing of channels is intended to be admin-only.
Attacker (a regular user) creates or owns a group channel.

Attacker sends:

POST /api/v1/channels/
{
  "name": "public-channel",
  "type": "group",
  "access_control": {
    "access_grants": [
      {"principal_type": "user", "principal_id": "*", "permission": "read"}
    ]
  }
}

set_access_grants is called directly without filter_allowed_access_grants — the wildcard grant is persisted.
The channel becomes publicly readable to every user on the instance, despite the admin's policy prohibiting public channels for regular users.

The same attack works via POST /api/v1/channels/{id}/update for any channel the attacker owns.

Impact

Regular users can bypass the sharing.public_channels permission and make channels publicly accessible
Regular users can bypass access_grants.allow_users to grant individual-user access in environments where only group-based sharing is intended
Admin's permission framework for channels is silently ineffective
Creates an inconsistency with every other resource type in the codebase, making the security posture harder to reason about

Preconditions

Attacker must have an account with the ability to create group channels (default user capability), or ownership of an existing channel
Admin must have configured restrictive sharing permissions for regular users (otherwise there's no policy to bypass)

🎯 Affected products1

pip/open-webui:<= 0.8.12