SB2026051155 - Improper access control in Open WebUI

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information and delete arbitrary uploaded files.

The vulnerability exists due to improper access control in files API endpoints when handling authenticated requests for file listing, file content retrieval, and file deletion. A remote user can send crafted requests to list, access, and delete files uploaded by other users to disclose sensitive information and delete arbitrary uploaded files.

The affected endpoints check only that the requester is a verified user and do not enforce ownership checks against the file user_id.

Remediation

Install update from vendor's website.

References

• https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33
• https://github.com/open-webui/open-webui/commit/e2b7296786053dfc77f6ae0205a1b195e05a712c