Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.9.6 an authenticated user could attach any file_id to their own chat message without the system checking whether the user owned or could read those files. When the attacker shares that chat and grants themselves read access, the has_access_to_file() logic incorrectly treats the victim’s file as accessible through the shared chat, allowing the file endpoints to read or delete the victim’s file. The flaw permits cross-user file read and deletion, exposing another user’s data. This issue was addressed in version 0.9.6.

The vulnerability affects the Open WebUI open‑webui product in all releases prior to 0.9.6. Any self‑hosted instance running an older version is susceptible. The fix was introduced in 0.9.6, so all versions before that are impacted.

The CVSS score of 8.3 reflects high severity. The EPSS score is not publicly available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated user who can add a file identifier to their own chat. Based on the description, the likely attack vector is through the web UI while logged in. Once the chat is shared, the file endpoints treat the victim file as readable or deletable, enabling the attacker to compromise confidentiality and integrity of another user’s files. The vulnerability can be exploited without requiring additional privileges beyond an active authenticated session.