Path traversal in Open WebUI - #VU130238
Published: May 6, 2026
Vulnerability identifier: #VU130238
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote attacker to upload files to arbitrary locations on the server filesystem.
The vulnerability exists due to path traversal in the /rag/api/v1/doc API route when processing uploaded file names in multipart form data. A remote attacker can send a specially crafted file upload request with dot-segments in the filename to upload files to arbitrary locations on the server filesystem.
The uploaded file is written with the permissions of the user running the web server.
Remediation
Install security update from vendor's website.