Authorization bypass through user-controlled key in Open WebUI - CVE-2026-54010

 

Authorization bypass through user-controlled key in Open WebUI - CVE-2026-54010

Published: June 30, 2026


Vulnerability identifier: #VU135941
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-54010
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to read arbitrary files belonging to other users.

The vulnerability exists due to authorization bypass through a user-controlled key in chat-file association handling when attaching a crafted file_id to a chat message and accessing the shared chat file content endpoint. A remote user can attach an arbitrary victim file_id to an attacker-controlled chat and then request the file content endpoint to read arbitrary files belonging to other users.

The issue requires knowledge of a victim file_id and relies on shared chat access being used to satisfy file authorization.


How to mitigate CVE-2026-54010

Install security update from vendor's website.

Sources