Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has_access_to_file() treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file. This vulnerability is fixed in 0.9.6.
Severity (CVSS)
| Base score | 8.3 |
|---|---|
| Severity | High |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
| Provided by | CNA |
Weaknesses
- CWE-284 — CWE-284: Improper Access Control
- CWE-639 — CWE-639: Authorization Bypass Through User-Controlled Key
- CWE-862 — CWE-862: Missing Authorization
Affected products
| Vendor | Product | Versions |
|---|---|---|
| open-webui | open-webui | < 0.9.6 |
References
- https://github.com/open-webui/open-webui/security/advisories/GHSA-vrhc-3fr6-pc3c (x_refsource_CONFIRM)
Generated from the official CVE List on 24 Jun 2026 09:35 UTC.