Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5.
Published: 2026-05-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple endpoints in Open WebUI accept a file identifier supplied by the caller and attach the referenced file to a resource or returning its content. The reference is not validated against the caller’s ownership or granted permissions, allowing any authenticated user to retrieve or overwrite another user's private file if the file’s UUID is known. This results in confidentiality compromise and potential integrity modification, as the attacker can replace files in the knowledge‑base.

Affected Systems

The flaw exists in the open-webui product before version 0.9.5. Specific affected modules are backend/open_webui/routers/folders.py (POST /​api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id) and add_files_to_knowledge_by_id_batch. The vulnerability is fixed in release 0.9.5.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity. The EPSS score is not provided, but the straightforward nature of the flaw suggests a realistic exploitation probability once an authenticated account with knowledge of a UUID is available. The flaw is not listed in the CISA KEV catalog. Attackers require only valid credentials and the file UUID; no public exploit is currently documented, but the vulnerability remains a significant risk for any self-hosted deployment.

Generated by OpenCVE AI on May 15, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch or upgrade to open-webui version 0.9.5 or newer
  • If possible, disable or restrict the affected endpoints until a patch is applied by configuring the API routing or access controls
  • Review file permissions and audit logs for unauthorized access attempts, and reset any files that may have been improperly exposed or overwritten

Generated by OpenCVE AI on May 15, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r472-mw7m-967f Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5.
Title Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T22:21:36.768Z

Reserved: 2026-05-12T01:48:40.451Z

Link: CVE-2026-45402

cve-icon Vulnrichment

Updated: 2026-05-15T22:17:52.363Z

cve-icon NVD

Status : Received

Published: 2026-05-15T21:16:38.273

Modified: 2026-05-15T23:16:21.470

Link: CVE-2026-45402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T22:30:06Z

Weaknesses