SB2026050626 - Multiple vulnerabilities in Open WebUI

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050626

SB2026050626 - Multiple vulnerabilities in Open WebUI

Published: May 6, 2026

Security Bulletin ID SB2026050626
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper Authorization (CVE-ID: N/A)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to access authenticated API functionality and disclose limited information, modify limited data, or affect availability.

The vulnerability exists due to improper authorization in authenticated API endpoints when handling requests with a valid JWT issued to a newly registered pending account. A remote attacker can sign up for an account and use the returned token to access endpoints intended for verified users to access authenticated API functionality and disclose limited information, modify limited data, or affect availability.

Only deployments with new sign-ups enabled are exposed to registration-based exploitation, and pending accounts are treated as authenticated users by the API despite client-side restrictions.


2) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to upload files to arbitrary locations on the server filesystem.

The vulnerability exists due to path traversal in the /rag/api/v1/doc API route when processing uploaded file names in multipart form data. A remote attacker can send a specially crafted file upload request with dot-segments in the filename to upload files to arbitrary locations on the server filesystem.

The uploaded file is written with the permissions of the user running the web server.


Remediation

Install update from vendor's website.

References