Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-reachable upload endpoint requires an authenticated session (PR:L); only integrity is impacted as read-only users can inject but not otherwise modify knowledge base files.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
AnalysisAI
File upload authorization bypass in Open WebUI before 0.10.0 allows authenticated users with read-only knowledge base access to inject arbitrary files into restricted knowledge bases by supplying a crafted metadata.knowledge_id parameter. The upload endpoint omits the write-access check enforced by the dedicated /api/v1/knowledge/<id>/file/add route (CWE-862), creating a privilege escalation path for any authenticated platform user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated session on the target Open WebUI instance - unauthenticated exploitation is not possible given PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N appropriately reflects the low access complexity and network reachability but understates the realistic downstream impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Open WebUI user holding read-only access to a shared knowledge base crafts a multipart file upload HTTP request to the platform's upload endpoint, embedding metadata.knowledge_id set to the target knowledge base's identifier alongside a file containing adversarial prompt injection content. Because the upload path skips the write-access check, the file is silently linked to the knowledge base. … |
| Remediation | Upgrade to Open WebUI v0.10.0 or later, available at https://github.com/open-webui/open-webui/releases/tag/v0.10.0, which applies the write-access authorization check uniformly to the file upload path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42628