Open WebUI, Authorization Bypass (Medium)

Listen to this Post

How the CVE works:

The vulnerability resides in `has_access_to_file()` within backend/open_webui/routers/files.py. When any authenticated user sends DELETE /api/v1/files/{file_id}, the endpoint calls has_access_to_file(file_id, access_type="write", user=requesting_user). Inside the function, a branch checks chats = Chats.get_shared_chats_by_file_id(file_id, db=db). If any shared chat references that file, it returns `True` unconditionally. This branch performs no user identity check (it does not verify if the requesting user owns or participates in that chat) and ignores the `access_type` parameter (returns `True` even for `”write”` or "delete"). Consequently, any authenticated user can delete any file that is linked from any shared chat anywhere on the instance. The delete endpoint lacks secondary ownership validation, leading to permanent file removal from database, disk, and knowledge bases. Attackers obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` if they have read access to a shared knowledge base (a common deployment scenario). UUIDs are otherwise impractical to brute‑force, but this endpoint discloses them. The same bypass affects read (GET /api/v1/files/{id}) and modify (POST /api/v1/files/{id}/data/content/update) endpoints, granting full read+write+delete capabilities on any file referenced by any shared chat. Tested on Open WebUI 0.8.3 (default Docker). Fixed in commit `2e52ad8ff` (v0.9.0, Apr 2026) by refactoring shared‑chat access through AccessGrants that filter on user grants and permission type.

dailycve form (3 words max per line):

Platform: Open WebUI
Version: 0.8.3
Vulnerability: Auth bypass
Severity: Medium (5.7)
date: Not specified

Prediction: Patched Apr2026

What Undercode Say:

List knowledge base files (disclose UUIDs)
curl -X GET "http://target:3000/api/v1/knowledge/{kb_id}/files" \
-H "Authorization: Bearer $ATTACKER_JWT"
Delete a file using disclosed UUID
curl -X DELETE "http://target:3000/api/v1/files/{file_uuid}" \
-H "Authorization: Bearer $ATTACKER_JWT"
Python PoC (standard library only)
python3 -c "
import urllib.request, json
jwt='<attacker_jwt>'; url='http://target:3000/api/v1/files/{uuid}'
req=urllib.request.Request(url, method='DELETE')
req.add_header('Authorization', f'Bearer {jwt}')
urllib.request.urlopen(req)
"

How Exploit:

1. Attacker logs in (any valid role).

  1. Obtain a target file UUID via `GET /api/v1/knowledge/{kb_id}/files` (requires read access to a shared knowledge base).

3. Send `DELETE /api/v1/files/{uuid}` with attacker’s JWT.

  1. The server deletes the file permanently (HTTP 200/204, subsequent GET returns 404).

Protection from this CVE:

Upgrade to Open WebUI ≥ v0.9.0 (fix commit 2e52ad8ff). If upgrade is impossible, apply the suggested code change: wrap the shared‑chat branch with `if access_type == “read”` or disable chat sharing until patched.

Impact:

Permanent deletion of any file referenced by any shared chat, performed by any authenticated user. Loss of RAG knowledge base documents without audit trail. Full read+modify+delete capability on those files. Affects all multi‑user deployments with default chat sharing enabled.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top