Path traversal in Open WebUI - CVE-2026-54014

 

Path traversal in Open WebUI - CVE-2026-54014

Published: June 30, 2026


Vulnerability identifier: #VU135938
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54014
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in serve_cache_file() in open_webui/main.py when handling GET requests to /cache/{path}. A remote user can send a specially crafted request using a sibling-prefix traversal path to disclose sensitive information.

Only sibling directories whose names begin with "cache" are reachable through the bypass. Deep traversal and absolute paths are blocked, and delivering the payload may require a raw HTTP or ASGI request because some clients normalize ".." segments.


How to mitigate CVE-2026-54014

Install security update from vendor's website.

Sources