PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45402 open-webui CVE debrief

Open WebUI versions prior to 0.9.5 contain an insecure direct object reference (IDOR) vulnerability in multiple API endpoints that allow authenticated users to attach arbitrary files—owned by other users—to resources they control. The affected endpoints include POST /api/v1/folders/{id}/update and knowledge-base file attachment functions in backend/open_webui/routers/folders.py and backend/open_webui/routers/knowledge.py. Because the application does not verify ownership or access permissions on the user-supplied file_id, an attacker with knowledge of another user's file UUID can exfiltrate private file contents through downstream RAG and file-content retrieval paths. On the knowledge-base path, the attacker can also overwrite the referenced file. The vulnerability requires low attack complexity, network access, and valid user credentials, but no user interaction. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, scoring 8.1 (HIGH). The weakness is categorized as CWE-639: Authorization Bypass Through User-Controlled Key. The vendor released version 0.9.5 to remediate this issue. No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
open-webui
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Organizations running self-hosted Open WebUI instances with multi-user deployments, particularly those storing sensitive documents in private user spaces or relying on knowledge-base RAG pipelines for access-controlled information retrieval. Security teams should prioritize patching due to the high confidentiality and integrity impact with low attack prerequisites.

Technical summary

The vulnerability stems from missing authorization checks when processing file_id parameters in folder and knowledge-base update endpoints. The application accepts a user-supplied UUID referencing a file object and attaches it to the caller's resource without validating that the caller has read or write access to that file. This enables two attack primitives: (1) file content exfiltration by attaching another user's private file to a knowledge base or folder the attacker controls, then retrieving content through standard RAG/file-content APIs; and (2) file content overwrite when using the knowledge-base attachment path. The attack requires the attacker to know or guess the target file's UUID, which may be discoverable through information leakage or brute-force given UUIDv4's 122 bits of entropy. The fix in 0.9.5 adds proper ownership and permission verification before file attachment operations.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Open WebUI to version 0.9.5 or later to obtain the authorization fix
  • Review access logs for unusual file attachment patterns involving file_id parameters to folders or knowledge bases
  • Implement additional authorization checks at the application layer for file_id references if immediate patching is not feasible
  • Audit file UUID exposure in client-side responses or logs that could facilitate targeted exploitation
  • Monitor for unauthorized file access or modification events in RAG and knowledge-base retrieval pipelines

Evidence notes

CVE description confirms affected endpoints and file_id parameter handling without authorization checks. NVD CPE confirms affected product (openwebui:open_webui) and fixed version boundary (prior to 0.9.5). GitHub Security Advisory tagged as Exploit, Mitigation, Vendor Advisory. CVSS vector and score sourced from NVD metadata. CWE-639 classification from advisory source.

Official resources

2026-05-15