CVE-2026-29070: open-webui: missing authz allows cross-KB file deletion
GHSA-26gm-93rw-cchf MEDIUM PoC AVAILABLE CISA: TRACK*Any authenticated Open WebUI user can destroy files in knowledge bases they don't own — just by knowing a file ID. This directly sabotages RAG pipelines: an attacker can silently gut a colleague's knowledge base, degrading AI assistant quality without triggering obvious errors. Patch to 0.8.6 immediately; if you can't, restrict knowledge base write access to trusted users only.
What is the risk?
CVSS 5.4 understates operational impact in AI environments. The exploit is trivial (valid session + any file ID), the PoC is public, and Open WebUI is widely deployed in enterprise AI stacks. The EPSS (0.00031) reflects low current exploitation, but the barrier to abuse is minimal. Highest risk in multi-tenant or shared Open WebUI deployments where users operate separate knowledge bases for different projects or sensitivity levels.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | < 0.8.6 | 0.8.6 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade open-webui pip package to >= 0.8.6 (fix validates file-to-knowledge-base ownership before deletion).
-
If immediate patching is blocked: restrict knowledge base write permissions to admin-only via Open WebUI RBAC settings.
-
Audit access logs for anomalous POST requests to /api/v1/knowledge/{id}/file/remove where the {id} does not match the authenticated user's own knowledge bases.
-
Back up knowledge base contents and vector collections regularly — this attack leaves no recoverable state.
-
Rotate API bearer tokens if unauthorized deletions are suspected.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-29070?
Any authenticated Open WebUI user can destroy files in knowledge bases they don't own — just by knowing a file ID. This directly sabotages RAG pipelines: an attacker can silently gut a colleague's knowledge base, degrading AI assistant quality without triggering obvious errors. Patch to 0.8.6 immediately; if you can't, restrict knowledge base write access to trusted users only.
Is CVE-2026-29070 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-29070, increasing the risk of exploitation.
How to fix CVE-2026-29070?
1. Upgrade open-webui pip package to >= 0.8.6 (fix validates file-to-knowledge-base ownership before deletion). 2. If immediate patching is blocked: restrict knowledge base write permissions to admin-only via Open WebUI RBAC settings. 3. Audit access logs for anomalous POST requests to /api/v1/knowledge/{id}/file/remove where the {id} does not match the authenticated user's own knowledge bases. 4. Back up knowledge base contents and vector collections regularly — this attack leaves no recoverable state. 5. Rotate API bearer tokens if unauthorized deletions are suspected.
What systems are affected by CVE-2026-29070?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, knowledge management systems, multi-user AI platforms, vector databases.
What is the CVSS score for CVE-2026-29070?
CVE-2026-29070 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.25%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0059 Erode Dataset Integrity AML.T0085.000 RAG Databases AML.T0101 Data Destruction via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id) ### Details The source code at https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803 does not properly validate that the file being deleted belongs to the current knowledge base: ``` @router.post("/{id}/file/remove", response_model=Optional[KnowledgeFilesResponse]) def remove_file_from_knowledge_by_id( id: str, form_data: KnowledgeFileIdForm, delete_file: bool = Query(True), user=Depends(get_verified_user), db: Session = Depends(get_session), ): knowledge = Knowledges.get_knowledge_by_id(id=id, db=db) [...] # Note : Access control check on the knowledge base if ( knowledge.user_id != user.id and not AccessGrants.has_access( user_id=user.id, resource_type="knowledge", resource_id=knowledge.id, permission="write", db=db, ) and user.role != "admin" ): raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) file = Files.get_file_by_id(form_data.file_id, db=db) [...] # Note : No checks on the file if delete_file: try: # Remove the file's collection from vector database file_collection = f"file-{form_data.file_id}" if VECTOR_DB_CLIENT.has_collection(collection_name=file_collection): VECTOR_DB_CLIENT.delete_collection(collection_name=file_collection) except Exception as e: log.debug("This was most likely caused by bypassing embedding processing") log.debug(e) pass # Delete file from database Files.delete_file_by_id(form_data.file_id, db=db) [...] ``` ### PoC Victim has a knowledge base with a file (id: 9db6dcee-bb3b-483e-aaf3-310fda366af1) Attacker creates their own collection (id: dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b) Attacker deletes the victim file from their own collection: ``` POST /api/v1/knowledge/dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b/file/remove HTTP/1.1 Host: gaius-neo-val.fr.space.corp Authorization: Bearer eyJhbGciOiJIUzI1[...]nHiaod-3vfNE0 [...] {"file_id":"9db6dcee-bb3b-483e-aaf3-310fda366af1"} ----- HTTP/1.1 200 OK [...] ``` The file is then deleted from the victim's knowledge base. ### Impact Arbitrary file deletion
Exploitation Scenario
An attacker with a standard user account on a shared Open WebUI instance (e.g., a corporate AI assistant deployment) creates their own empty knowledge base to obtain a valid collection ID. Through normal use or by observing network traffic, they collect file IDs from a victim's knowledge base — file IDs are UUIDs exposed in API responses. The attacker then sends a POST to their own knowledge base endpoint with the victim's file IDs in the request body. The server checks write access only on the attacker's knowledge base (granted), skips ownership validation on the file, and deletes it from the victim's knowledge base and vector store. A targeted attacker could systematically enumerate and delete all files from critical enterprise knowledge bases (HR policies, security runbooks, compliance docs) that feed production AI assistants, causing silent knowledge degradation.
Weaknesses (CWE)
CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui