Skip to main content

Open WebUI CVE-2026-45671

| EUVDEUVD-2026-30606 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 https://github.com/open-webui/open-webui GHSA-26g9-27vm-x3q8
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 22:03 vuln.today
Analysis Generated
May 14, 2026 - 22:03 vuln.today
CVE Published
May 14, 2026 - 20:28 nvd
HIGH 8.0

DescriptionGitHub Advisory

Summary

Any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files.

Details

The root cause is in has_access_to_file() in backend/open_webui/routers/files.py.

When a user calls DELETE /api/v1/files/{file_id}, the endpoint delegates authorization to has_access_to_file(file_id, access_type="write", user=requesting_user). Inside that function, one branch checks whether the file is referenced in any shared chat:

python
chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
if chats:
    return True

This branch has two missing checks:

  1. No user check: It asks "does any shared chat anywhere reference this file?", not "does the requesting user own or participate in that chat." Any authenticated user passes this check.
  2. No operation check: The access_type parameter ("write" for delete) is accepted but never inspected. The branch returns True regardless of whether the caller is requesting read access or delete access.

The result: if any user has shared any chat that references a file, that file becomes deletable by every authenticated user on the instance.

The delete endpoint has no secondary ownership check (unlike the content-update endpoint), so this authorization bypass leads directly to permanent file removal from the database, disk, and all knowledge base associations.

How an attacker obtains file UUIDs:

UUIDs are impractical to brute-force, but they don't need to be. Any user with read access to a knowledge base can retrieve the file IDs of every document in it via GET /api/v1/knowledge/{id}/files. In deployments where knowledge bases are shared across teams (a common and intended use case), this gives any regular user a list of valid file UUIDs they can target.

Suggested fix: gate the shared-chat branch on access_type so it only authorizes read operations:

python
if access_type == "read":
    chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
    if chats:
        return True

Classification:

  • CWE-639: Authorization Bypass Through User-Controlled Key
  • OWASP API1:2023: Broken Object Level Authorization
  • CVSS 3.1: 5.7 - AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Tested on Open WebUI 0.8.3 using a default Docker configuration.

PoC

Prerequisites:

  • Default Open WebUI installation (Docker: ghcr.io/open-webui/open-webui:main)
  • Two user accounts: a victim (any role) and an attacker (role: user)

Setup (victim):

  1. Log in as the victim
  2. Create a knowledge base and upload a document
  3. Start a new chat, attach the KB file, and send a message
  4. Share the chat using the share button

Obtaining the file UUID (attacker):

If the attacker has read access to the knowledge base (e.g. a shared team KB), the file UUID is available via:

GET /api/v1/knowledge/{kb_id}/files

This returns metadata for all files in the KB, including their UUIDs.

Exploit (attacker):

bash
python3 poc.py --url http://<host>:3000 --file-id <target-file-uuid> -t <attacker-jwt>

The PoC script (attached as poc.py):

  1. Authenticates as the attacker
  2. Confirms the target file is accessible via GET /api/v1/files/{id}/data/content
  3. Deletes the file via DELETE /api/v1/files/{id}
  4. Verifies permanent deletion (HTTP 404 on subsequent GET)

No special tooling is required - the script uses only Python 3 standard library (urllib).

Impact

Who is affected: Any multi-user Open WebUI deployment where chat sharing is enabled (the default). The attacker needs a valid account (any role) and a target file UUID, which is available through any shared knowledge base.

What can happen:

  • Permanent data destruction: The file is removed from the database, disk, and all knowledge base associations with no recovery mechanism.
  • Knowledge base degradation: If the file was part of a RAG knowledge base, that KB silently loses the document with no user-facing indication that content is missing.
  • No audit trail: The delete operation does not record which user performed it.

Sharing a chat is a routine collaboration action. The current behavior means that doing so inadvertently makes every referenced file deletable by any authenticated user on the instance.

Disclaimer on the use of AI powered tools

The research and reporting related to this vulnerability was aided by AI tools.

Scope clarification

The root cause is the has_access_to_file() shared-chat branch returning True regardless of access_type or requesting user. The original PoC demonstrates DELETE (access_type='write'), but the same gate is what authorizes the read (GET /api/v1/files/{id}, GET /api/v1/files/{id}/content) and modify (POST /api/v1/files/{id}/data/content/update) endpoints. All three access modes are bypassed by the same function gap, so the practical impact is read + modify + delete on any file referenced by any shared chat.

Resolution

Fixed in commit 2e52ad8ff ("refac: shared chat"), first released in v0.9.0 (Apr 2026). The shared-chat feature was refactored to introduce a dedicated shared_chats table and gate shared-chat access through AccessGrants (resource_type='shared_chat'). has_access_to_file() (now in backend/open_webui/utils/access_control/files.py:68-80) calls AccessGrants.get_accessible_resource_ids to filter the shared-chat IDs to only those the requesting user has an explicit grant on - ownership, group membership, or public share - before returning True

The new gate is permission-aware ('read' here) and user-aware, closing both the "any user passes" issue and the "access_type ignored" issue. Users on >= 0.9.0 are not affected.

AnalysisAI

Broken object-level authorization in Open WebUI versions ≤0.8.12 allows any authenticated user to permanently delete files owned by other users when those files are referenced in any shared chat. The has_access_to_file() authorization function unconditionally grants access through its shared-chat branch, failing to validate both the requesting user's identity and the operation type (read vs. write). File UUIDs, which would otherwise prevent enumeration attacks, are exposed via the knowledge base API endpoint GET /api/v1/knowledge/{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.

Technical ContextAI

Open WebUI is a Python-based web interface for large language models that implements knowledge bases (RAG systems) and chat sharing features. The vulnerability resides in the has_access_to_file() authorization gate in backend/open_webui/routers/files.py. This function is called by REST API endpoints (DELETE /api/v1/files/{id}, GET /api/v1/files/{id}/content, POST /api/v1/files/{id}/data/content/update) with an access_type parameter to distinguish read from write operations. The shared-chat branch contains a logic error where it queries Chats.get_shared_chats_by_file_id(file_id) and returns True if any shared chat anywhere references the file - it never checks whether the requesting user participates in that chat, nor does it inspect the access_type parameter. This is CWE-639 (Authorization Bypass Through User-Controlled Key) and OWASP API1:2023 (Broken Object Level Authorization). The fix in v0.9.0 introduced a dedicated shared_chats table with AccessGrants resources (resource_type='shared_chat') that filter shared-chat IDs through get_accessible_resource_ids, ensuring only users with explicit grants (ownership, group membership, or public share) pass authorization. File UUIDs are exposed through the knowledge base files API, converting what would be a non-exploitable authorization flaw into a practical attack vector in multi-user deployments.

RemediationAI

Upgrade immediately to Open WebUI v0.9.0 or later, available via Docker (ghcr.io/open-webui/open-webui:v0.9.0 or :latest) or pip (pip install --upgrade open-webui). The fix is in commit 2e52ad8ff2f8d9ed9f38f76e9bc19c8f92d91fc3, which refactors shared-chat authorization to use a dedicated shared_chats table with AccessGrants filtering accessible resource IDs by user. Vendor advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-26g9-27vm-x3q8. Release notes: https://github.com/open-webui/open-webui/releases/tag/v0.9.0. No workaround is viable for production use - the authorization logic is embedded in core API endpoints and cannot be disabled without breaking file sharing entirely. Temporary risk reduction (with operational trade-offs): (1) Disable chat sharing globally if the platform supports such a configuration flag (stops UUID disclosure and shared-chat access branch, but eliminates a core collaboration feature). (2) Implement network-level access controls to restrict the /api/v1/files/* and /api/v1/knowledge/*/files endpoints to trusted IP ranges (reduces attacker pool but does not prevent insider threats or compromised accounts). (3) Audit logs for DELETE /api/v1/files/* requests and alert on deletions by non-owner users (detective control only, does not prevent data loss). All mitigations are partial and inferior to patching. Patching requires restarting the Docker container or application service with no database migration complexity beyond what is automated in the Alembic migration script included in v0.9.0.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-45671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy