Listen to this Post
How CVE-2026-59212 Works
Open WebUI is a self‑hosted, feature‑rich AI platform that allows users to manage knowledge files through a granular permission system. In versions 0.9.6 through before 0.10.0, the authorization mechanism suffers from a critical inconsistency that enables privilege escalation.
The core flaw resides in the `_verify_knowledge_file_access` function. This function is responsible for validating whether a user has permission to access a given knowledge file. However, its implementation only checks read‑level permissions. It does not enforce any separate validation for write or delete operations.
When a user performs a file write or delete action, the platform does not re‑evaluate the user’s actual privileges for that operation. Instead, it blindly trusts object‑derived access information that is stored in `model.meta.knowledge` entries. These metadata entries are populated from previous read‑access grants and are treated as an authoritative source of authorization for subsequent destructive operations.
This design creates a dangerous trust relationship: once a user has been granted read access to a file (e.g., via a shared knowledge base), the system assumes that the same user is also allowed to write or delete that file, simply because the file ID appears in their `meta.knowledge` list. There is no separate ownership or capability check for write/delete endpoints.
An attacker with only read‑only access to a knowledge file can therefore:
1. Obtain the file UUID (e.g., via GET /api/v1/knowledge/{id}/files).
2. Craft a request to a write or delete endpoint (such as `POST /api/v1/retrieval/process/files/batch` or DELETE /api/v1/files/{id}).
3. The system sees the file ID in the user’s `meta.knowledge` and incorrectly authorizes the destructive action, because the write/delete routes rely on the same metadata that was only validated for read.
This vulnerability is rooted in CWE‑284 (Improper Access Control) and represents a classic case of privilege escalation through inconsistent authorization checks. The attack requires only a valid authenticated session and read‑level access to any knowledge file – a low bar in multi‑tenant deployments where knowledge bases are often shared among users.
The issue was addressed in version 0.10.0 by ensuring that write and delete operations now require explicit verification of the user’s actual permissions, independent of any previously granted read access.
DailyCVE Form:
Platform: Open WebUI
Version: 0.9.6‑0.10.0
Vulnerability: Privilege Escalation
Severity: Critical
date: 2026‑07‑09
Prediction: 2026‑07‑15
What Undercode Say
Analytics & Detection Commands
Check your installed Open WebUI version:
If installed via pip pip show open-webui | grep Version If running as a container docker inspect open-webui | grep -i version If deployed from source grep -r "VERSION" /path/to/open-webui/backend/
Detect potential exploitation attempts by monitoring logs for unusual file operations:
Look for unauthorized file write/delete attempts (example for nginx logs)
grep -E "POST /api/v1/retrieval/process/files/batch|DELETE /api/v1/files/" /var/log/nginx/access.log | awk '{print $1, $7, $9}'
Audit knowledge base access patterns
grep -E "GET /api/v1/knowledge/./files" /var/log/nginx/access.log | cut -d' ' -f1,7 | sort | uniq -c
Check for models with suspicious `meta.knowledge` entries (indicative of forged metadata):
Example: query the database (if using SQLite) sqlite3 /path/to/open-webui.db "SELECT id, name, meta FROM models WHERE meta LIKE '%knowledge%';"
Exploit
An authenticated attacker with read‑only access to a knowledge file can escalate to write/delete by:
1. Enumerate file UUIDs – from any accessible knowledge base:
GET /api/v1/knowledge/{knowledge_base_id}/files
The response contains `file_id` for every document in that knowledge base.
2. Forge a write request – using the obtained file ID, send a `POST` to the batch processing endpoint (which performs no ownership check):
POST /api/v1/retrieval/process/files/batch
Body: { "files": [{"id": "<victim_file_id>", "content": "malicious payload"}] }
Because the endpoint only requires `get_verified_user` (any authenticated user) and trusts the supplied file_id, the file is overwritten.
3. Delete a file – send a `DELETE` to /api/v1/files/{id}. The `has_access_to_file()` function checks the user’s `meta.knowledge` and returns true if the file ID is present – even if the user never had write/delete permissions.
The overwritten or deleted content can poison the RAG pipeline, causing the LLM to serve attacker‑controlled data to other users.
Protection
- Upgrade immediately to Open WebUI version 0.10.0 or later. The fix ensures that write and delete operations now require explicit permission validation, independent of any metadata derived from read access.
- If upgrading is not immediately possible, restrict network access to the affected endpoints (
/api/v1/retrieval/process/files/batch,/api/v1/files/{id}) using a reverse proxy or firewall, allowing only trusted admin IPs. - Audit existing knowledge file permissions – review all shared knowledge bases and ensure that read‑only users do not have unintended write/delete capabilities through metadata inheritance.
- Monitor logs for anomalous file operations (see “What Undercode Say” section above) and revoke access for any suspicious accounts.
- Apply the official patch – the commit that fixes the issue is available at:
https://github.com/open-webui/open-webui/commit/17df0264929514599dbcb21c6578bcdfa204b04d
Impact
- Confidentiality – An attacker can read private file content (up to 100,000 characters per call) by forging `meta.knowledge` entries.
- Integrity – Attackers can overwrite any knowledge file with malicious content, poisoning the RAG pipeline and influencing LLM responses for all users.
- Availability – Critical knowledge files can be deleted, causing disruption to AI platform functionality and potential data loss.
- Privilege Escalation – Users with only read‑only access can escalate to full write/delete capabilities, breaking the intended permission model in multi‑tenant environments.
- CVSS Score – Rated 6.3 (CVSSv3) with a Critical severity classification.
- Exploitability – The attack is remotely exploitable, requires low privileges, and no user interaction, making it a high‑priority risk for any deployment sharing knowledge bases among multiple users.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

