Main Vulnerability Database Vulnerabilities #VU130165

Improper access control in Open WebUI - #VU130165

Published: May 5, 2026

Vulnerability identifier: #VU130165

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to create folders in other users' accounts.

The vulnerability exists due to improper access control in the folder creation endpoint and FolderForm model when handling crafted folder creation requests. A remote user can supply a crafted user_id value in the POST body to create folders in other users' accounts.

Exploitation requires an authenticated account with folders permission and knowledge or guessing of the victim's user UUID.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-hr43-rjmr-7wmm

Improper access control in Open WebUI - #VU130165

Detailed vulnerability description

Remediation

Sources

Please verify you're human