Missing Authorization in Open WebUI - #VU136840
Published: July 3, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to modify knowledge-base file membership.
The vulnerability exists due to improper access control in the upload auto-link path in file upload background processing when processing user-supplied upload metadata. A remote user can supply a crafted metadata.knowledge_id value during file upload to modify knowledge-base file membership.
The issue requires a verified account and a valid target knowledge-base ID. A user with read access but without write access to the target knowledge base can exploit it.