CVE-2026-29070

### Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id) ### Details The source code at https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803 does not properly validate that the file being deleted belongs to the current knowledge base: ``` @router.post("/{id}/file/remove", response_model=Optional[KnowledgeFilesResponse]) def remove_file_from_knowledge_by_id( id: str, form_data: KnowledgeFileIdForm, delete_file: bool = Query(True), user=Depends(get_verified_user), db: Session = Depends(get_session), ): knowledge = Knowledges.get_knowledge_by_id(id=id, db=db) [...] # Note : Access control check on the knowledge base if ( knowledge.user_id != user.id and not AccessGrants.has_access( user_id=user.id, resource_type="knowledge", resource_id=knowledge.id, permission="write", db=db, ) and user.role != "admin" ): raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) file = Files.get_file_by_id(form_data.file_id, db=db) [...] # Note : No checks on the file if delete_file: try: # Remove the file's collection from vector database file_collection = f"file-{form_data.file_id}" if VECTOR_DB_CLIENT.has_collection(collection_name=file_collection): VECTOR_DB_CLIENT.delete_collection(collection_name=file_collection) except Exception as e: log.debug("This was most likely caused by bypassing embedding processing") log.debug(e) pass # Delete file from database Files.delete_file_by_id(form_data.file_id, db=db) [...] ``` ### PoC Victim has a knowledge base with a file (id: 9db6dcee-bb3b-483e-aaf3-310fda366af1) Attacker creates their own collection (id: dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b) Attacker deletes the victim file from their own collection: ``` POST /api/v1/knowledge/dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b/file/remove HTTP/1.1 Host: gaius-neo-val.fr.space.corp Authorization: Bearer eyJhbGciOiJIUzI1[...]nHiaod-3vfNE0 [...] {"file_id":"9db6dcee-bb3b-483e-aaf3-310fda366af1"} ----- HTTP/1.1 200 OK [...] ``` The file is then deleted from the victim's knowledge base. ### Impact Arbitrary file deletion

An attacker with a standard user account on a shared Open WebUI instance (e.g., a corporate AI assistant deployment) creates their own empty knowledge base to obtain a valid collection ID. Through normal use or by observing network traffic, they collect file IDs from a victim's knowledge base — file IDs are UUIDs exposed in API responses. The attacker then sends a POST to their own knowledge base endpoint with the victim's file IDs in the request body. The server checks write access only on the attacker's knowledge base (granted), skips ownership validation on the file, and deletes it from the victim's knowledge base and vector store. A targeted attacker could systematically enumerate and delete all files from critical enterprise knowledge bases (HR policies, security runbooks, compliance docs) that feed production AI assistants, causing silent knowledge degradation.