Main Vulnerability Database Vulnerabilities #VU127474

Improper access control in Open WebUI - CVE-2026-29070

Published: April 24, 2026

Vulnerability identifier: #VU127474

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-29070

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to improper access control in the knowledge file deletion endpoint when handling file removal requests. A remote user can send a specially crafted request with a file id from another knowledge base to delete arbitrary files.

The issue occurs because the application verifies write access to the current knowledge base but does not verify that the targeted file belongs to that knowledge base.

How to mitigate CVE-2026-29070

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf

Improper access control in Open WebUI - CVE-2026-29070

Detailed vulnerability description

How to mitigate CVE-2026-29070

Sources

Please verify you're human