Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has_access_to_file() treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file. This vulnerability is fixed in 0.9.6.

Severity (CVSS)

Base score8.3
SeverityHigh
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Provided byCNA

Weaknesses

  • CWE-284 — CWE-284: Improper Access Control
  • CWE-639 — CWE-639: Authorization Bypass Through User-Controlled Key
  • CWE-862 — CWE-862: Missing Authorization

Affected products

VendorProductVersions
open-webuiopen-webui< 0.9.6

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 24 Jun 2026 09:35 UTC.