Open WebUI is a self‑hosted AI platform that operates entirely offline. In versions earlier than 0.9.6, the POST /api/chat/completions endpoint processes an image_url.url field. When the value does not begin with http://, https://, or data:image/, the service treats it as a file identifier and looks it up in the global file table without verifying ownership. An authenticated user can therefore supply another user’s file ID, causing the server to read the file from disk, encode it in base64, and inject the resulting data URI into the LLM request. The model can then be prompted to describe or OCR the file, and the returned information exposes the file contents to the attacker. The issue is fixed in 0.9.6 and represents CWE‑639, insufficient authorization checks that allow information disclosure. The CVE description was recently updated; review the advisory for the latest details.

The affected product is Open WebUI from the open‑webui organization. The vulnerability exists in any deployment running a version older than 0.9.6, where the /api/chat/completions endpoint processes image_url.url without proper ownership validation.

The CVSS score of 6.5 indicates a moderate severity vulnerability. EPSS information is not available, and the issue is not listed in CISA KEV, suggesting that public exploitation is not yet widespread. The exploit requires an authenticated session to send a crafted POST request to /api/chat/completions; based on the description, it is inferred that the attacker must be able to authenticate to the service, after which the attacker can read files belonging to other users by supplying their file identifiers.