Open WebUI versions prior to 0.9.0 allow any authenticated user to permanently delete files belonging to other users via the DELETE /api/v1/files/{id} endpoint when the target file is part of a shared chat. The authorization gate has_access_to_file() mistakenly grants delete access through its shared-chat branch without checking the requester’s identity or the operation type, thereby enabling a user to delete arbitrary files. This flaw is an example of CWE‑639, where authorization is bypassed due to insufficient ownership checks.

The affected product is the open-webui:open-webui platform. Any deployment running a version earlier than 0.9.0 is vulnerable, as the fix was introduced in the 0.9.0 release. No specific sub‑versions are explicitly listed in the advisory.

The CVSS score of 8 indicates high severity. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to be an authenticated user and to have obtained the UUID of a target file, which can be learned by reading knowledge base files via GET /api/v1/knowledge/{id}/files. An attacker with read access to any knowledge base can thus identify file IDs and invoke the delete endpoint to remove files owned by other users. Once the delete request is authorized by the faulty gate, the target file is permanently removed. The lack of an access check on operation type ensures that the deletion is possible even for non‑owner users, making the vulnerability highly exploitable in multi‑user deployments.