AI Threat Alert

CVE-2026-44565: open-webui: path traversal enables file write/delete

GHSA-j3fw-wc48-29g3 HIGH CISA: TRACK*
Published May 11, 2026
CISO Take

Open WebUI's model upload endpoint fails to sanitize filenames, allowing any authenticated user to write attacker-controlled content to arbitrary filesystem locations and subsequently delete files via an unsanitized path traversal in the `/ollama/models/upload` API. With a CVSS of 8.1, low attack complexity, and no user interaction required beyond a valid session token, this is trivially exploitable against any internet-accessible Open WebUI instance — a platform that has accumulated 57 tracked CVEs, indicating systemic security debt. While not in CISA KEV and no public exploit is confirmed, the destructive write-then-delete pattern can corrupt model weights, plant backdoors in SSH or cron directories, or deny LLM inference service entirely by destroying model artifacts. Organizations should upgrade to open-webui 0.6.10 immediately; if patching is delayed, block the `/ollama/models/upload` endpoint at the WAF or reverse proxy level and confirm the service account running Open WebUI has no write access outside designated model directories.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk (CVSS 8.1, I:H/A:H). Network-accessible, low complexity, low privilege, and no user interaction make this trivially weaponizable. The dual-impact nature — arbitrary write followed by forced delete — creates compounded integrity and availability exposure. AI/ML deployments typically run web servers with broad access to model storage directories, amplifying potential blast radius. The 57 tracked CVEs in this package indicate recurring security immaturity and elevates the likelihood of additional undiscovered attack surface.

How does the attack unfold?

Initial Access
Attacker authenticates to Open WebUI using a valid low-privilege user account or stolen session token.
AML.T0012
Exploitation
Attacker crafts a multipart POST to `/ollama/models/upload` with a path-traversal filename (e.g., `../../../etc/cron.d/backdoor`) to write attacker-controlled content outside the intended upload directory.
AML.T0049
Persistence
Attacker writes an SSH authorized_keys entry or cron job to establish persistent access to the host running the LLM infrastructure under the web server's identity.
Impact
Model weight files or system files are overwritten with malicious or corrupt content, then auto-deleted via `os.remove()`, achieving either full host compromise or denial of LLM inference service.
AML.T0029

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.6.9 0.6.10
142.4K Pushed 5d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 36% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A High

What should I do?

5 steps

  1. Upgrade to open-webui >= 0.6.10 which applies os.path.basename() sanitization to uploaded filenames (one-line fix at main.py:1070).

  2. If immediate patching is not possible, block or restrict the /ollama/models/upload endpoint via WAF or reverse proxy rules to trusted IP ranges only.

  3. Enforce a dedicated service account for Open WebUI with filesystem write access restricted exclusively to designated upload and model directories using Linux ACLs or DAC.

  4. Audit existing filesystem permissions on the host for over-permissive service account access.

  5. Review access logs for POST requests to /ollama/models/upload containing ../ sequences in Content-Disposition headers as an indicator of exploitation attempts.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution DoS Inference Framework AML.T0012 AML.T0018 AML.T0029 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security Clause 6.1.2 - AI risk assessment
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to identified AI risks MANAGE-2.2 - Strategies to address identified AI risks
OWASP LLM Top 10
LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-44565?

Open WebUI's model upload endpoint fails to sanitize filenames, allowing any authenticated user to write attacker-controlled content to arbitrary filesystem locations and subsequently delete files via an unsanitized path traversal in the `/ollama/models/upload` API. With a CVSS of 8.1, low attack complexity, and no user interaction required beyond a valid session token, this is trivially exploitable against any internet-accessible Open WebUI instance — a platform that has accumulated 57 tracked CVEs, indicating systemic security debt. While not in CISA KEV and no public exploit is confirmed, the destructive write-then-delete pattern can corrupt model weights, plant backdoors in SSH or cron directories, or deny LLM inference service entirely by destroying model artifacts. Organizations should upgrade to open-webui 0.6.10 immediately; if patching is delayed, block the `/ollama/models/upload` endpoint at the WAF or reverse proxy level and confirm the service account running Open WebUI has no write access outside designated model directories.

Is CVE-2026-44565 actively exploited?

No confirmed active exploitation of CVE-2026-44565 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44565?

1. Upgrade to open-webui >= 0.6.10 which applies `os.path.basename()` sanitization to uploaded filenames (one-line fix at main.py:1070). 2. If immediate patching is not possible, block or restrict the `/ollama/models/upload` endpoint via WAF or reverse proxy rules to trusted IP ranges only. 3. Enforce a dedicated service account for Open WebUI with filesystem write access restricted exclusively to designated upload and model directories using Linux ACLs or DAC. 4. Audit existing filesystem permissions on the host for over-permissive service account access. 5. Review access logs for POST requests to `/ollama/models/upload` containing `../` sequences in Content-Disposition headers as an indicator of exploitation attempts.

What systems are affected by CVE-2026-44565?

This vulnerability affects the following AI/ML architecture patterns: LLM serving infrastructure, model serving, AI/ML web UIs.

What is the CVSS score for CVE-2026-44565?

CVE-2026-44565 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.45%.

What is the AI security impact?

Affected AI Architectures

LLM serving infrastructuremodel servingAI/ML web UIs

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0018 Manipulate AI Model
AML.T0029 Denial of AI Service
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2, Clause 6.1.2
NIST AI RMF: MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

** CONFIDENTIAL ** Vulnerability Disclosure Analysis Documentation ----------------------------------------------- Vulnerability Details --------------------- 1. Discoverer: Taylor Pennington of KoreLogic, Inc. 2. Date Submitted: June 11, 2024 3. Title: Open WebUI Arbitrary File Write, Delete via Path Traversal 4. High-level Summary: Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. After the file is written, it is deleted. 5. Affected Vendor: Open WebUI 6. Affected Product(s): Open WebUI (Formerly Ollama WebUI) 7. Affected Version(s): 0.1.105 8. Platform/OS: Debian GNU/Linux 12 (bookworm) 9. Vector: HTTP web interface 10. CWE: 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 11. Technical Analysis: When attaching files to a prompt by clicking the plus sign (+) on the left of the message input box when using the Open WebUI HTTP interface, the file is uploaded to a static upload directory. If the file is an audio file it will be sent to a second API that will attempt to transcribe it. The name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This can be visualized by examining the python code for the "/ollama/models/upload" API route (https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/apps/ollama/main.py#L1063-L1127): ``` def upload_model(file: UploadFile = File(...), url_idx: Optional[int] = None): if url_idx == None: url_idx = 0 ollama_url = app.state.OLLAMA_BASE_URLS[url_idx] file_path = f"{UPLOAD_DIR}/{file.filename}" # Save file in chunks with open(file_path, "wb+") as f: for chunk in file.file: f.write(chunk) def file_process_stream(): nonlocal ollama_url total_size = os.path.getsize(file_path) chunk_size = 1024 * 1024 try: with open(file_path, "rb") as f: total = 0 done = False while not done: chunk = f.read(chunk_size) if not chunk: done = True continue total += len(chunk) progress = round((total / total_size) * 100, 2) res = { "progress": progress, "total": total_size, "completed": total, } yield f"data: {json.dumps(res)}\n\n" if done: f.seek(0) hashed = calculate_sha256(f) f.seek(0) url = f"{ollama_url}/api/blobs/sha256:{hashed}" response = requests.post(url, data=f) if response.ok: res = { "done": done, "blob": f"sha256:{hashed}", "name": file.filename, } os.remove(file_path) yield f"data: {json.dumps(res)}\n\n" else: raise Exception( "Ollama: Could not create blob, Please try again." ) except Exception as e: res = {"error": str(e)} yield f"data: {json.dumps(res)}\n\n" return StreamingResponse(file_process_stream(), media_type="text/event-stream") ``` The model is temporarily written to disk in chunks and then the data is sent to another internal API. Once the file is successfully passed, the file is removed from the disk. Note line 1116, `os.remove(file_path)`. This has an affect of stomping on and ultimately deleting any file that the user of the open-webui service has permissions over. It may be possible to continue sending chunks to the file slowly and create a race condition however, this was not validated. 12. Proof-of-Concept: First, create a file under the `/tmp` directory named `DELETE_ME` while logged in as the user account of the web application or chown the file to be owned by the open-webui user. ``` # su ollama # touch /tmp/DELETE_ME ``` Execute the following cURL command after replacing the exported `JWT` value for a valid user session: ``` export JWT="JWT_HERE"; curl -s -X $'POST' \ -H $'Host: openwebui.example.com' -H $'Content-Length: 206' -H "Authorization: Bearer ${JWT}" -H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \ --data-binary $'------WebKitFormBoundary7MA4YWxkTrZu0gW\x0d\x0aContent-Disposition: form-data; name=\"file\"; filename=\"../../../../../../../tmp/DELETE_ME\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a\x0d\x0a------WebKitFormBoundary7MA4YWxkTrZu0gW--' \ $'https://openwebui.example.com/ollama/models/upload' ``` Verify that `/tmp/DELETE_ME` has been deleted. 13. Mitigation Recommendation: Modify line 1070 (https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/apps/ollama/main.py#L1070) to: ``` filename = os.path.basename(file.filename) file_path = f"{UPLOAD_DIR}/{filename}" ```

Exploitation Scenario

An adversary with a low-privilege Open WebUI account — obtained via credential stuffing, phishing, or a compromised API token — sends a crafted multipart POST to `/ollama/models/upload` with a filename such as `../../../home/ollama/.ssh/authorized_keys`. The server writes the attacker's public SSH key to that path, establishing persistent access to the host running the LLM infrastructure. In a destructive variant, the attacker targets model weight files (e.g., `../../../opt/models/llama3/model.bin`) with corrupt content; the subsequent `os.remove()` call then deletes the original, taking the inference service offline. By chaining multiple upload requests, an attacker can systematically destroy an organization's entire local model library or overwrite cron jobs to achieve code execution under the web server's identity.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
May 11, 2026
Last Modified
May 11, 2026
First Seen
May 11, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44551 9.1

open-webui: LDAP auth bypass — full account takeover

Same package: open-webui
HIGH CVE-2026-45672 8.8

open-webui: code exec gate bypass via API endpoint

Same package: open-webui
HIGH CVE-2025-64495 8.7

Open WebUI: XSS-to-RCE via malicious prompt injection

Same package: open-webui
HIGH CVE-2026-44552 8.7

open-webui: Redis cache poisoning enables cross-instance tool hijack

Same package: open-webui
HIGH CVE-2026-45315 8.7

open-webui: stored XSS → JWT theft and admin takeover

Same package: open-webui
Back to Threat Feed