Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files.
Details
The root cause is in has_access_to_file() in backend/open_webui/routers/files.py.
When a user calls DELETE /api/v1/files/{file_id}, the endpoint delegates authorization to has_access_to_file(file_id, access_type="write", user=requesting_user). Inside that function, one branch checks whether the file is referenced in any shared chat:
chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
if chats:
return TrueThis branch has two missing checks:
- No user check: It asks "does any shared chat anywhere reference this file?", not "does the requesting user own or participate in that chat." Any authenticated user passes this check.
- No operation check: The
access_typeparameter ("write"for delete) is accepted but never inspected. The branch returnsTrueregardless of whether the caller is requesting read access or delete access.
The result: if any user has shared any chat that references a file, that file becomes deletable by every authenticated user on the instance.
The delete endpoint has no secondary ownership check (unlike the content-update endpoint), so this authorization bypass leads directly to permanent file removal from the database, disk, and all knowledge base associations.
How an attacker obtains file UUIDs:
UUIDs are impractical to brute-force, but they don't need to be. Any user with read access to a knowledge base can retrieve the file IDs of every document in it via GET /api/v1/knowledge/{id}/files. In deployments where knowledge bases are shared across teams (a common and intended use case), this gives any regular user a list of valid file UUIDs they can target.
Suggested fix: gate the shared-chat branch on access_type so it only authorizes read operations:
if access_type == "read":
chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
if chats:
return TrueClassification:
- CWE-639: Authorization Bypass Through User-Controlled Key
- OWASP API1:2023: Broken Object Level Authorization
- CVSS 3.1: 5.7 -
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Tested on Open WebUI 0.8.3 using a default Docker configuration.
PoC
Prerequisites:
- Default Open WebUI installation (Docker:
ghcr.io/open-webui/open-webui:main) - Two user accounts: a victim (any role) and an attacker (role:
user)
Setup (victim):
- Log in as the victim
- Create a knowledge base and upload a document
- Start a new chat, attach the KB file, and send a message
- Share the chat using the share button
Obtaining the file UUID (attacker):
If the attacker has read access to the knowledge base (e.g. a shared team KB), the file UUID is available via:
GET /api/v1/knowledge/{kb_id}/filesThis returns metadata for all files in the KB, including their UUIDs.
Exploit (attacker):
python3 poc.py --url http://<host>:3000 --file-id <target-file-uuid> -t <attacker-jwt>The PoC script (attached as poc.py):
- Authenticates as the attacker
- Confirms the target file is accessible via
GET /api/v1/files/{id}/data/content - Deletes the file via
DELETE /api/v1/files/{id} - Verifies permanent deletion (HTTP 404 on subsequent GET)
No special tooling is required - the script uses only Python 3 standard library (urllib).
Impact
Who is affected: Any multi-user Open WebUI deployment where chat sharing is enabled (the default). The attacker needs a valid account (any role) and a target file UUID, which is available through any shared knowledge base.
What can happen:
- Permanent data destruction: The file is removed from the database, disk, and all knowledge base associations with no recovery mechanism.
- Knowledge base degradation: If the file was part of a RAG knowledge base, that KB silently loses the document with no user-facing indication that content is missing.
- No audit trail: The delete operation does not record which user performed it.
Sharing a chat is a routine collaboration action. The current behavior means that doing so inadvertently makes every referenced file deletable by any authenticated user on the instance.
Disclaimer on the use of AI powered tools
The research and reporting related to this vulnerability was aided by AI tools.
Scope clarification
The root cause is the has_access_to_file() shared-chat branch returning True regardless of access_type or requesting user. The original PoC demonstrates DELETE (access_type='write'), but the same gate is what authorizes the read (GET /api/v1/files/{id}, GET /api/v1/files/{id}/content) and modify (POST /api/v1/files/{id}/data/content/update) endpoints. All three access modes are bypassed by the same function gap, so the practical impact is read + modify + delete on any file referenced by any shared chat.
Resolution
Fixed in commit 2e52ad8ff ("refac: shared chat"), first released in v0.9.0 (Apr 2026). The shared-chat feature was refactored to introduce a dedicated shared_chats table and gate shared-chat access through AccessGrants (resource_type='shared_chat'). has_access_to_file() (now in backend/open_webui/utils/access_control/files.py:68-80) calls AccessGrants.get_accessible_resource_ids to filter the shared-chat IDs to only those the requesting user has an explicit grant on - ownership, group membership, or public share - before returning True
The new gate is permission-aware ('read' here) and user-aware, closing both the "any user passes" issue and the "access_type ignored" issue. Users on >= 0.9.0 are not affected.
AnalysisAI
Broken object-level authorization in Open WebUI versions ≤0.8.12 allows any authenticated user to permanently delete files owned by other users when those files are referenced in any shared chat. The has_access_to_file() authorization function unconditionally grants access through its shared-chat branch, failing to validate both the requesting user's identity and the operation type (read vs. write). File UUIDs, which would otherwise prevent enumeration attacks, are exposed via the knowledge base API endpoint GET /api/v1/knowledge/{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.
Technical ContextAI
Open WebUI is a Python-based web interface for large language models that implements knowledge bases (RAG systems) and chat sharing features. The vulnerability resides in the has_access_to_file() authorization gate in backend/open_webui/routers/files.py. This function is called by REST API endpoints (DELETE /api/v1/files/{id}, GET /api/v1/files/{id}/content, POST /api/v1/files/{id}/data/content/update) with an access_type parameter to distinguish read from write operations. The shared-chat branch contains a logic error where it queries Chats.get_shared_chats_by_file_id(file_id) and returns True if any shared chat anywhere references the file - it never checks whether the requesting user participates in that chat, nor does it inspect the access_type parameter. This is CWE-639 (Authorization Bypass Through User-Controlled Key) and OWASP API1:2023 (Broken Object Level Authorization). The fix in v0.9.0 introduced a dedicated shared_chats table with AccessGrants resources (resource_type='shared_chat') that filter shared-chat IDs through get_accessible_resource_ids, ensuring only users with explicit grants (ownership, group membership, or public share) pass authorization. File UUIDs are exposed through the knowledge base files API, converting what would be a non-exploitable authorization flaw into a practical attack vector in multi-user deployments.
RemediationAI
Upgrade immediately to Open WebUI v0.9.0 or later, available via Docker (ghcr.io/open-webui/open-webui:v0.9.0 or :latest) or pip (pip install --upgrade open-webui). The fix is in commit 2e52ad8ff2f8d9ed9f38f76e9bc19c8f92d91fc3, which refactors shared-chat authorization to use a dedicated shared_chats table with AccessGrants filtering accessible resource IDs by user. Vendor advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-26g9-27vm-x3q8. Release notes: https://github.com/open-webui/open-webui/releases/tag/v0.9.0. No workaround is viable for production use - the authorization logic is embedded in core API endpoints and cannot be disabled without breaking file sharing entirely. Temporary risk reduction (with operational trade-offs): (1) Disable chat sharing globally if the platform supports such a configuration flag (stops UUID disclosure and shared-chat access branch, but eliminates a core collaboration feature). (2) Implement network-level access controls to restrict the /api/v1/files/* and /api/v1/knowledge/*/files endpoints to trusted IP ranges (reduces attacker pool but does not prevent insider threats or compromised accounts). (3) Audit logs for DELETE /api/v1/files/* requests and alert on deletions by non-owner users (detective control only, does not prevent data loss). All mitigations are partial and inferior to patching. Patching requires restarting the Docker container or application service with no database migration complexity beyond what is automated in the Alembic migration script included in v0.9.0.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30606
GHSA-26g9-27vm-x3q8