Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.9.6, a user who can create, update, or import workspace models could add arbitrary meta.knowledge entries to their models without authority checks on referenced files. The system treats meta.knowledge entries of type file as an authorization source. In particular, the view_file tool extracts file text and has_access_to_file() authorizes file content and delete endpoints. A malicious model owner can therefore attach another user’s file ID to their metadata and read or delete that private file. This unauthorized disclosure and deletion violate confidentiality and integrity for other users. The flaw arises from improper authorization (CWE‑284), insecure control of functionality (CWE‑285), and missing authorization checks (CWE‑862).

The affected product is Open WebUI from the vendor open‑webui. All installations running a version earlier than 0.9.6 are vulnerable. The vulnerability is fixed in version 0.9.6 and later; no other vendors or products are known to be impacted.

The CVSS score of 7.1 indicates a moderate‑to‑high severity issue. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no active exploitation has been observed in the wild. The likely attack vector is an authenticated user with model‑management privileges who can create or modify workspace models; such a user can supply a crafted meta.knowledge file reference to a target user’s file, bypassing the access‑control checks. Under these conditions, the vulnerability can be exploited without special system access or additional credentials.