A documented weakness in Open WebUI allows any authenticated user with read access to a shared knowledge base to overwrite the content of any file through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint does not perform an ownership check, enabling attackers to replace legitimate files that are later retrieved by the LLM during retrieval‑augmented generation. This flaw is an authorization bypass (CWE‑639) and could let an attacker control what information the model presents to other users.

The defect exists in all installations of the Open WebUI self‑hosted artificial intelligence platform running a version earlier than 0.8.6. Users who can authenticate and query a knowledge base can discover file identifiers via GET /api/v1/knowledge/{id}/files and exploit the vulnerability through the batch processing endpoint.

The CVSS score of 7.1 indicates a moderate‑high severity, while an EPSS score of less than 1% points to a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, which reduces confirmation of real‑world usage. Attackers would need only a valid authenticated session and read permission on a shared resource; no elevated system privileges are required, making exploitation relatively straightforward in a compromised or poorly protected instance.