CVE-2026-42276 Overview
CVE-2026-42276 is an authorization flaw in Onyx, an open-source artificial intelligence (AI) platform. The POST /chat/stop-chat-session/{chat_session_id} endpoint authenticates the caller but never verifies that the targeted chat session belongs to that caller. Any authenticated user who knows or guesses another user's chat session UUID can terminate that user's active Large Language Model (LLM) generation mid-stream. The flaw is classified as [CWE-639] Authorization Bypass Through User-Controlled Key. Onyx versions prior to 3.0.9, 3.1.6, and 3.2.6 are affected.
Critical Impact
An authenticated attacker can disrupt other users' LLM sessions by terminating their in-progress chat generations, degrading service availability for all tenants on a shared Onyx deployment.
Affected Products
- Onyx versions prior to 3.0.9
- Onyx versions prior to 3.1.6
- Onyx versions prior to 3.2.6
Discovery Timeline
- 2026-05-08 - CVE-2026-42276 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42276
Vulnerability Analysis
The vulnerability resides in the chat session termination endpoint exposed by the Onyx API. When a client issues POST /chat/stop-chat-session/{chat_session_id}, the handler validates that the request carries a valid authentication token. The handler does not, however, validate that the chat_session_id parameter corresponds to a session owned by the authenticated user.
This is a classic Insecure Direct Object Reference (IDOR) pattern. The chat session UUID acts as a user-controlled key. Because Onyx accepts any well-formed UUID without an ownership check, the authorization decision collapses into an authentication-only check. An attacker who obtains or enumerates a victim's chat session identifier can halt that victim's streaming LLM response.
The impact is limited to availability. Confidentiality and integrity are not affected because the endpoint only stops generation. It does not read message content or alter stored data.
Root Cause
The root cause is a missing ownership verification step in the stop-chat-session route. The endpoint trusts the supplied session identifier without correlating it to the authenticated principal in the session ownership table.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker with any valid Onyx account sends a crafted HTTP POST request containing a target session UUID. No user interaction is required. In multi-tenant or team deployments, an insider can disrupt colleagues' AI workflows repeatedly. The vulnerability mechanism is documented in the Onyx GitHub Security Advisory GHSA-rw6w-hp62-gc8w.
Detection Methods for CVE-2026-42276
Indicators of Compromise
- HTTP POST requests to /chat/stop-chat-session/{chat_session_id} where the authenticated user identifier does not match the session owner recorded in Onyx application logs.
- A high frequency of stop-chat-session calls originating from a single authenticated account against multiple distinct session UUIDs.
- User reports of LLM responses terminating unexpectedly during normal operation.
Detection Strategies
- Correlate Onyx application logs against the session-to-user mapping to flag stop requests where the caller is not the session owner.
- Baseline normal stop-chat-session call volume per user and alert on statistical deviations.
- Inspect web proxy or reverse proxy access logs for enumeration patterns targeting chat session UUIDs.
Monitoring Recommendations
- Forward Onyx API access logs to a centralized logging or Security Information and Event Management (SIEM) system for cross-user correlation.
- Enable per-endpoint rate limiting telemetry on /chat/stop-chat-session/ to surface abuse.
- Track the upstream Onyx repository for additional security advisories that may follow this fix.
How to Mitigate CVE-2026-42276
Immediate Actions Required
- Upgrade Onyx to version 3.0.9, 3.1.6, or 3.2.6 depending on the deployed release branch.
- Audit existing Onyx user accounts and remove inactive or unnecessary accounts to shrink the pool of potential abusers.
- Review historical access logs for anomalous stop-chat-session activity prior to patching.
Patch Information
The maintainers patched the issue in Onyx versions 3.0.9, 3.1.6, and 3.2.6. The fix introduces an ownership verification step on the /chat/stop-chat-session/{chat_session_id} endpoint so that only the session owner can stop a session. See the Onyx GitHub Security Advisory GHSA-rw6w-hp62-gc8w for the official remediation guidance.
Workarounds
- If patching cannot be completed immediately, restrict Onyx access to trusted users only via network access controls or an authenticating reverse proxy.
- Apply rate limiting at the reverse proxy layer for the /chat/stop-chat-session/ path to slow enumeration attempts.
- Rotate or invalidate active chat session identifiers after the upgrade to neutralize previously harvested UUIDs.
# Example: upgrade Onyx via pip to a patched release
pip install --upgrade "onyx==3.2.6"
# Example: nginx rate limit for the affected endpoint
# limit_req_zone $binary_remote_addr zone=stopchat:10m rate=5r/m;
# location ~ ^/chat/stop-chat-session/ {
# limit_req zone=stopchat burst=5 nodelay;
# proxy_pass http://onyx_upstream;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
