Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Network-accessible web API requiring a low-privilege authenticated account; impact confined to knowledge file integrity and availability, with no confidentiality gain since attacker already holds read access.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0.
AnalysisAI
Incorrect authorization in Open WebUI versions 0.9.6 through 0.9.x allows authenticated users with read-only knowledge file access to escalate their privileges to file write or delete operations. The root cause is that _verify_knowledge_file_access validated only read permissions, while write and delete routes independently trusted access derived from writable model meta.knowledge entries - creating a logical gap where the authorization check and the actual enforcement were misaligned. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated user account (PR:L) with at least read-only access to one or more knowledge files in the target Open WebUI instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.4 Medium score is consistent with the realistic risk profile: AV:N establishes this is exploitable over the network, AC:L means no special conditions are needed beyond authentication, PR:L confirms a valid low-privileged account is required, and I:L/A:L reflects that impact is limited to knowledge file integrity and availability rather than full system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a valid Open WebUI account that has been granted read-only access to a shared knowledge file sends a crafted HTTP request to the write or delete endpoint for that file. Because the route trusts the `meta.knowledge` entry rather than re-checking operation-level permissions, the request succeeds, allowing the attacker to overwrite or delete knowledge base content they should only be able to read. … |
| Remediation | Upgrade to Open WebUI v0.10.0 or later, which resolves the authorization gap via the fix committed at https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d and tracked in pull request https://github.com/open-webui/open-webui/pull/26032. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Webui
View allA vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Sit
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traver
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a St
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Se
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CV
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing u
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handlin
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF)
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42634