SB20260505106 - Path traversal in Open WebUI

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to overwrite and delete arbitrary files.

The vulnerability exists due to path traversal in the /ollama/models/upload API route when handling file upload requests with a crafted filename. A remote user can upload a file with dot-segments in its filename to overwrite and delete arbitrary files.

The file is temporarily written to disk before being forwarded to an internal API and then removed, so exploitation is limited to files writable by the account running the web server.

Remediation

Install update from vendor's website.

References

• https://github.com/open-webui/open-webui/security/advisories/GHSA-j3fw-wc48-29g3
• https://github.com/open-webui/open-webui/commit/0399a69b73de9789c4221acedea70d528e1346c4