Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
Affected Component
Folder creation endpoint and form model:
backend/open_webui/models/folders.py(lines 72-77,FolderFormwithextra='allow')backend/open_webui/models/folders.py(lines 95-106,insert_new_folderdict construction)backend/open_webui/routers/folders.py(line 119,create_folderendpoint)
Affected Versions
Current main branch (commit 6fdd19bf1) and likely all versions since FolderForm adopted extra='allow'.
Description
FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fields to pass through Pydantic validation and be included in model_dump(exclude_unset=True). In insert_new_folder, the server-assigned user_id is placed at the start of the dict and then overwritten by the spread of form data:
# models/folders.py:95-106
folder = FolderModel(
**{
'id': id,
# server
'user_id': user_id,
# server - overwritten below
**(form_data.model_dump(exclude_unset=True) or {}),
# user-controlled (extra='allow')
'parent_id': parent_id,
'created_at': int(time.time()),
'updated_at': int(time.time()),
}
)Because FolderModel declares user_id: str as a real field (not just a form extra), any attacker-supplied user_id in the POST body is accepted by the model and persisted on the Folder row.
Attack Scenario
- Attacker discovers a victim's user ID. User UUIDs commonly leak via the user search endpoint (
GET /api/v1/users/search, intentionally accessible to verified users for sharing UI), shared chat metadata, or channel member lists. - Attacker sends:
POST /api/v1/folders/
{
"name": "Important: Click here",
"user_id": "<victim_user_id>",
"meta": {"icon": "warning"},
"data": {...}
}- Pydantic accepts the extra
user_idfield (allowed byextra='allow'). insert_new_folderspreads the form data over the server-set'user_id': user_id, overwriting it with the attacker's value.- The
Folderrow is persisted withuser_id = <victim_user_id>. - The victim sees the attacker-planted folder in their UI on next load because
GET /api/v1/folders/filters by the viewer's ownuser_id.
The attacker can repeat this to plant multiple folders, use crafted name values for phishing ("Click here to recover account" / "Security alert"), and abuse the meta and data fields to add visual elements that further mimic legitimate content.
Impact
- Unauthorized write into victim's folder tree
- Phishing surface: attacker-controlled
name,meta, anddatarender in the victim's UI in a trusted context - DoS / spam: attacker can flood a victim with arbitrary folders; victim must manually delete each one
- Attacker cannot read the folder back - all read paths filter by the caller's own
user_id- so confidentiality is preserved, but integrity and trust are compromised
Preconditions
- Attacker must have an authenticated account with
features.folderspermission (default for all users) - Attacker must know or guess the victim's user UUID (obtainable through various non-sensitive endpoints)
AnalysisAI
Mass assignment vulnerability in Open WebUI's folder creation endpoint allows authenticated attackers to create folders in other users' accounts by exploiting Pydantic's extra='allow' configuration. An attacker with a valid account can supply an arbitrary user_id in the POST request body, overwriting the server-assigned value and persisting folders under a victim's account without their knowledge. The attacker can use this to plant phishing content, spam folders, or degrade user experience for targeted victims.
Technical ContextAI
The vulnerability exists in the folder form model (FolderForm in backend/open_webui/models/folders.py) which uses Pydantic's ConfigDict(extra='allow') setting. This configuration permits arbitrary fields beyond the defined schema to pass through validation and be included in model_dump(exclude_unset=True). In the insert_new_folder function (lines 95-106), the server-assigned user_id is initially set but then overwritten via dictionary spread of the user-controlled form data. Since FolderModel declares user_id as an actual field (not just an extra), Pydantic accepts the attacker-supplied value and the ORM persists it directly to the database. The root cause is CWE-862 (Missing Authorization): the application fails to validate that the user_id being written matches the authenticated user's identity, instead relying on Pydantic validation alone which is insufficient for security-sensitive fields.
RemediationAI
Upgrade Open WebUI to version 0.9.0 or later, which removes the extra='allow' configuration from FolderForm and implements proper server-side validation of user_id. If immediate upgrade is not possible, apply a temporary compensating control by modifying the insert_new_folder function to explicitly reject any user_id value supplied in the request body and always use the authenticated user's own user_id from the request context. This requires code-level patching in backend/open_webui/models/folders.py (lines 95-106) to ensure server-assigned values cannot be overwritten by form data spread. An alternative (less preferred) mitigation is to remove extra='allow' from FolderForm's model_config, converting it to ConfigDict(extra='forbid'), which will cause Pydantic to reject any unexpected fields in the POST body and raise a validation error. This blocks the attack but may break integrations if external systems rely on passing additional fields. See vendor advisory at https://github.com/open-webui/open-webui/security/advisories/GHSA-hr43-rjmr-7wmm for specific patch details.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30603
GHSA-hr43-rjmr-7wmm