Missing Authorization in Open WebUI - CVE-2026-54012

 

Missing Authorization in Open WebUI - CVE-2026-54012

Published: June 30, 2026


Vulnerability identifier: #VU135940
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54012
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to read and delete other users' files.

The vulnerability exists due to improper authorization in model metadata handling and file access control when storing and using forged meta.knowledge file references. A remote user can create, update, or import a workspace model with a specially crafted meta.knowledge entry to read file content or delete the referenced file.

Exploitation requires the ability to create, update, or import workspace models and knowledge of a victim file ID.


How to mitigate CVE-2026-54012

Install security update from vendor's website.

Sources