Missing Authorization in Open WebUI - CVE-2026-54012
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to read and delete other users' files.
The vulnerability exists due to improper authorization in model metadata handling and file access control when storing and using forged meta.knowledge file references. A remote user can create, update, or import a workspace model with a specially crafted meta.knowledge entry to read file content or delete the referenced file.
Exploitation requires the ability to create, update, or import workspace models and knowledge of a victim file ID.