Technical description
Onyx, an open-source AI platform, contains an authorization flaw in its chat-session stop endpoint. The POST /chat/stop-chat-session/{chat_session_id} route verifies that the caller is authenticated but does not verify that the specified chat session belongs to the authenticated user. An attacker with a valid account and knowledge of another user's chat-session UUID can terminate that user's active LLM generation mid-stream.
Attack vector
Authenticated. An attacker logs into Onyx with their own credentials, enumerates or guesses another user's chat-session UUID, and calls POST /chat/stop-chat-session/{victim_session_id}. The endpoint executes the stop action without verifying session ownership, disrupting the victim's active LLM conversation.
Affected systems
Onyx versions prior to 3.0.9, 3.1.6, and 3.2.6. Affects shared enterprise Onyx deployments where multiple users access the same platform instance.
Mitigation
Upgrade to Onyx version 3.0.9, 3.1.6, or 3.2.6 depending on your release track. Implement and verify object-level authorization checks on all chat, generation, memory, and session-control endpoints to ensure users can only access and modify their own resources. Review application logs for evidence of cross-user session manipulation if the vulnerability window overlaps production use.