Open WebUI is a self-hosted AI platform that operates entirely offline. Prior to version 0.9.6, the cache file serving endpoint contains a path traversal flaw. The root cause is an incomplete startswith containment check that omits a trailing path separator when comparing the resolved file path to the absolute CACHE_DIR path. As a result, any authenticated user can request files from sibling directories whose names begin with "cache" (for example, cache_sibling, cache_backup, cached_models), because the check mistakenly deems those paths valid. This allows the reading of arbitrary files, thereby compromising confidentiality. The flaw is classified as CWE‑22 and was fixed in release 0.9.6.

Open WebUI platforms running versions earlier than 0.9.6 are affected. The vulnerability exists in the open-webui/open-webui product as implemented before the 0.9.6 release. Users of Open WebUI 0.9.6 or later are not impacted.

The CVSS score of 4.3 indicates medium severity. No EPSS score is available, so the current exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to exploit the flaw, but the code path allows reading arbitrary files within sibling directories. The incomplete validation provides a straightforward exploitation path once the user is logged in, making it a potentially useful tool for attackers who can gain initial user access.