mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 04:50:11 +02:00
Two lifecycle/authorization gaps let a deactivated (pending) account keep acting: 1. The background automation scheduler (execute_automation) rehydrated the owner by ID and dispatched the chat pipeline without re-checking the owner. A user later set to pending, or one whose features.automations permission was revoked, kept running scheduled automations on the operator's provider credentials, even though the HTTP create/update/run routes already gate on get_verified_user + features.automations. Re-gate the rehydrated owner before dispatch: require role user/admin and, for non-admins, the features.automations permission; otherwise record an error and skip the run. 2. check_model_access enforced per-model ACLs only for exactly role == 'user', so any other non-admin role (a pending principal) fell through and was granted access. Enforce for every non-admin role (admins still bypass), so the check fails closed (CWE-862, CWE-863). Co-authored-by: rexpository <30176934+rexpository@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>