CVE-2026-44571

CVE-2026-44571 concerns the Open WebUI platform. In standard channels, the endpoint POST /api/v1/channels/{channel_id}/messages/{message_id}/update could be invoked with only read permission if access_control is None, allowing unauthorized users to modify other users’ messages. The issue is fixed...

Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission

Vulnerability Description In standard channels i.e., channels whose channel.type is neither group nor dm, the endpoint POST /api/v1/channels/channelid/messages/messageid/update can be accessed with read permission only. When accesscontrol is set to None, the authorization check hasaccess...,...

CVE-2024-41703

LibreChat through 0.7.4-rc1 has incorrect access control for message updates...

CVE-2024-41703

LibreChat through 0.7.4-rc1 has incorrect access control for message updates...

CVE-2024-41703

LibreChat up to version 0.7.4-rc1 has an incorrect access control for message updates. The issue is documented across multiple sources (NVD, Red Hat, OSV, CVE lists) with the same description. The CVSS-based impact is listed as critical in NVD (high confidentiality, integrity, and availability im...

PT-2024-29525 · Librechat · Librechat

Name of the Vulnerable Software and Affected Versions: LibreChat versions prior to 0.7.4-rc1 Description: The issue is related to incorrect access control for message updates. Recommendations: For versions prior to 0.7.4-rc1, at the moment, there is no information about a newer version that...