CVE-2026-45671 open-webui CVE debrief

Who should care

Organizations running self-hosted Open WebUI instances prior to 0.9.0, particularly those with multi-user deployments utilizing shared chats and knowledge bases. Security teams responsible for AI/ML platform governance and data loss prevention.

Technical summary

The `has_access_to_file()` authorization gate in Open WebUI prior to 0.9.0 contains a logic flaw where the shared-chat branch grants access without validating the requester's identity or operation type. This allows authenticated users to execute DELETE operations on files they do not own. File UUIDs are discoverable through `GET /api/v1/knowledge/{id}/files` endpoints, eliminating the practical barrier of UUID unpredictability. The vulnerability is remotely exploitable with low attack complexity, requiring only authenticated access and user interaction (accessing a shared chat).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Open WebUI to version 0.9.0 or later to remediate this vulnerability
• Review file access logs for unauthorized DELETE /api/v1/files/{id} requests between deployment and patch date
• Audit knowledge base access permissions to limit exposure of file UUIDs
• Implement additional authorization checks for destructive operations on shared resources
• Monitor for anomalous file deletion patterns in shared chat contexts

Evidence notes

The vulnerability is confirmed by the vendor's security advisory and NVD analysis. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The weakness is classified as CWE-639 (Authorization Bypass Through User-Controlled Key).

Official resources