Improper access control in Open WebUI - #VU130931
Published: May 11, 2026
Vulnerability identifier: #VU130931
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and delete arbitrary uploaded files.
The vulnerability exists due to improper access control in files API endpoints when handling authenticated requests for file listing, file content retrieval, and file deletion. A remote user can send crafted requests to list, access, and delete files uploaded by other users to disclose sensitive information and delete arbitrary uploaded files.
The affected endpoints check only that the requester is a verified user and do not enforce ownership checks against the file user_id.
Remediation
Install security update from vendor's website.