CVE-2026-45402 — HIGH (CVSS 8.1)

Q: What is CVE-2026-45402?

open-webui <= 0.9.4 allows any authenticated user to silently read and overwrite another user's private uploaded files by supplying the target's file UUID to unguarded folder-knowledge or knowledge-base attachment endpoints. Once attached, the victim's document flows directly into the LLM's RAG context, surfacing its full contents in chat responses — no further privilege escalation required. While file UUIDs are V4 and not brute-forceable, they routinely leak through shared chat citations, workspace URLs, browser history, and export flows, making opportunistic exploitation realistic in any multi-tenant deployment; with 91 prior CVEs in this package and a trivial two-curl PoC, weaponization is a low bar. Organizations running open-webui for team or enterprise use should upgrade to v0.9.5 immediately; if patching is delayed, restrict the instance to single-tenant or fully trusted-user environments and audit access logs for unexpected calls to /api/v1/folders/*/update and /api/v1/knowledge/*/file/add.

Q: Is CVE-2026-45402 actively exploited?

No confirmed active exploitation of CVE-2026-45402 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-45402?

1. PATCH: Upgrade open-webui to v0.9.5 immediately — this release adds per-file ownership validation at every writer endpoint, closing both attack paths. 2. WORKAROUND (if patching is delayed): Restrict the instance to single-tenant use or a fully trusted internal user group; do not expose multi-tenant open-webui to any untrusted authenticated users. 3. DETECTION: Audit application and API gateway logs for POST requests to /api/v1/folders/*/update containing file_id values not created by the requesting user, and POST requests to /api/v1/knowledge/*/file/add or */files/batch/add referencing cross-user file IDs. Correlate with anomalous chat sessions in folders with recently-attached unfamiliar file IDs. 4. INCIDENT RESPONSE: If exploitation is suspected, enumerate knowledge base and folder data fields for unexpected file_id references; compare file content hashes against backup baselines to detect tampering; revoke API tokens for affected user accounts and notify impacted document owners.

Q: What systems are affected by CVE-2026-45402?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, multi-tenant AI chatbot deployments, knowledge base systems, document-grounded LLM applications, enterprise AI assistant platforms.

Q: What is the CVSS score for CVE-2026-45402?

CVE-2026-45402 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

open-webui <= 0.9.4 allows any authenticated user to silently read and overwrite another user's private uploaded files by supplying the target's file UUID to unguarded folder-knowledge or knowledge-base attachment endpoints. Once attached, the victim's document flows directly into the LLM's RAG context, surfacing its full contents in chat responses — no further privilege escalation required. While file UUIDs are V4 and not brute-forceable, they routinely leak through shared chat citations, workspace URLs, browser history, and export flows, making opportunistic exploitation realistic in any multi-tenant deployment; with 91 prior CVEs in this package and a trivial two-curl PoC, weaponization is a low bar. Organizations running open-webui for team or enterprise use should upgrade to v0.9.5 immediately; if patching is delayed, restrict the instance to single-tenant or fully trusted-user environments and audit access logs for unexpected calls to /api/v1/folders/*/update and /api/v1/knowledge/*/file/add.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

High severity (CVSS 8.1, AV:N/AC:L/PR:L/UI:N). The authorization bypass requires only a valid user session and a target file UUID — the PoC is two curl commands with zero AI/ML expertise needed, placing exploitation firmly in script-kiddie territory. The dual-path nature amplifies risk: Path 1 causes immediate exfiltration within a single chat session, while Path 2 grants persistent cross-session read and write access to the victim's file with no cleanup pass to mitigate it. Not currently in CISA KEV, but the low exploitation barrier and high-value target profile — proprietary documents in enterprise AI deployments — make active weaponization likely as awareness spreads. The package's history of 91 CVEs and a risk score of 38/100 suggest systemic security debt that elevates residual risk beyond this single issue.

Attack Kill Chain

UUID Acquisition

Attacker obtains a victim's file UUID through passive observation of shared chat citations, workspace URLs (/workspace/files/<id>), browser referrer headers, or export metadata — no enumeration or brute force required.

AML.T0064

Authorization Bypass

Attacker POSTs to /api/v1/knowledge/{attacker_kb_id}/file/add with the victim's file_id; the endpoint validates write access to the attacker's KB but not file ownership, silently attaching the victim's private document.

AML.T0049

Data Exfiltration

Attacker retrieves the victim's full document content via /api/v1/files/{victim_file_id}/content directly, or triggers RAG retrieval by chatting in a folder poisoned with the victim's file_id to surface contents in LLM responses.

AML.T0085.000

Integrity Compromise

Attacker overwrites the victim's file via /api/v1/files/{victim_file_id}/data/content/update with attacker-crafted content, poisoning the RAG knowledge base so all subsequent queries by the victim or automated pipelines return tampered output.

AML.T0070

UUID Acquisition

Attacker obtains a victim's file UUID through passive observation of shared chat citations, workspace URLs (/workspace/files/<id>), browser referrer headers, or export metadata — no enumeration or brute force required.

AML.T0064

Authorization Bypass

Attacker POSTs to /api/v1/knowledge/{attacker_kb_id}/file/add with the victim's file_id; the endpoint validates write access to the attacker's KB but not file ownership, silently attaching the victim's private document.

AML.T0049

Data Exfiltration

Attacker retrieves the victim's full document content via /api/v1/files/{victim_file_id}/content directly, or triggers RAG retrieval by chatting in a folder poisoned with the victim's file_id to surface contents in LLM responses.

AML.T0085.000

Integrity Compromise

Attacker overwrites the victim's file via /api/v1/files/{victim_file_id}/data/content/update with attacker-crafted content, poisoning the RAG knowledge base so all subsequent queries by the victim or automated pipelines return tampered output.

AML.T0070

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
open-webui	pip	<= 0.9.4	`0.9.5`
136.3K Pushed 5d ago 75% patched ~4d to patch Full package profile →

Do you use open-webui? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

4 steps

PATCH

Upgrade open-webui to v0.9.5 immediately — this release adds per-file ownership validation at every writer endpoint, closing both attack paths.
WORKAROUND (if patching is delayed): Restrict the instance to single-tenant use or a fully trusted internal user group; do not expose multi-tenant open-webui to any untrusted authenticated users.
DETECTION

Audit application and API gateway logs for POST requests to /api/v1/folders/*/update containing file_id values not created by the requesting user, and POST requests to /api/v1/knowledge/*/file/add or */files/batch/add referencing cross-user file IDs. Correlate with anomalous chat sessions in folders with recently-attached unfamiliar file IDs.
INCIDENT RESPONSE

If exploitation is suspected, enumerate knowledge base and folder data fields for unexpected file_id references; compare file content hashes against backup baselines to detect tampering; revoke API tokens for affected user accounts and notify impacted document owners.

Classification

Auth Bypass Data Extraction Data Leakage RAG Framework Agent AML.T0024 - Exfiltration via AI Inference API AML.T0049 - Exploit Public-Facing Application AML.T0064 - Gather RAG-Indexed Targets AML.T0070 - RAG Poisoning AML.T0085.000 - RAG Databases

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.2 - Access control

NIST AI RMF

MEASURE 2.5 - Privacy risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-45402?

open-webui <= 0.9.4 allows any authenticated user to silently read and overwrite another user's private uploaded files by supplying the target's file UUID to unguarded folder-knowledge or knowledge-base attachment endpoints. Once attached, the victim's document flows directly into the LLM's RAG context, surfacing its full contents in chat responses — no further privilege escalation required. While file UUIDs are V4 and not brute-forceable, they routinely leak through shared chat citations, workspace URLs, browser history, and export flows, making opportunistic exploitation realistic in any multi-tenant deployment; with 91 prior CVEs in this package and a trivial two-curl PoC, weaponization is a low bar. Organizations running open-webui for team or enterprise use should upgrade to v0.9.5 immediately; if patching is delayed, restrict the instance to single-tenant or fully trusted-user environments and audit access logs for unexpected calls to /api/v1/folders/*/update and /api/v1/knowledge/*/file/add.

Is CVE-2026-45402 actively exploited?

No confirmed active exploitation of CVE-2026-45402 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45402?

1. PATCH: Upgrade open-webui to v0.9.5 immediately — this release adds per-file ownership validation at every writer endpoint, closing both attack paths. 2. WORKAROUND (if patching is delayed): Restrict the instance to single-tenant use or a fully trusted internal user group; do not expose multi-tenant open-webui to any untrusted authenticated users. 3. DETECTION: Audit application and API gateway logs for POST requests to /api/v1/folders/*/update containing file_id values not created by the requesting user, and POST requests to /api/v1/knowledge/*/file/add or */files/batch/add referencing cross-user file IDs. Correlate with anomalous chat sessions in folders with recently-attached unfamiliar file IDs. 4. INCIDENT RESPONSE: If exploitation is suspected, enumerate knowledge base and folder data fields for unexpected file_id references; compare file content hashes against backup baselines to detect tampering; revoke API tokens for affected user accounts and notify impacted document owners.

What systems are affected by CVE-2026-45402?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, multi-tenant AI chatbot deployments, knowledge base systems, document-grounded LLM applications, enterprise AI assistant platforms.

What is the CVSS score for CVE-2026-45402?

CVE-2026-45402 has a CVSS v3.1 base score of 8.1 (HIGH).

Technical Details

NVD Description

# Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints ## Summary Multiple endpoints accept a user-supplied `file_id` and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. ## Affected code paths ### Path 1 — Folder knowledge ingestion via `folders.update` `backend/open_webui/routers/folders.py:156` — `POST /api/v1/folders/{id}/update` accepts a `FolderUpdateForm` whose `data: Optional[dict]` field is written verbatim into the folder. The folder consumer at `backend/open_webui/utils/middleware.py:2409` spreads `folder.data['files']` directly into `form_data['files']` for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) — only the *folder list* endpoint (`folders.py:78-94`) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim's file UUID can write `data: {"files": [{"id": "<victim>", "type": "file"}]}` into their own folder, immediately chat in that folder, and have the LLM return the victim's document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened. ### Path 2 — Knowledge-base attach via `knowledge.{id}/file/add` and `knowledge.{id}/files/batch/add` `backend/open_webui/routers/knowledge.py:616-669` (`add_file_to_knowledge_by_id`) and `backend/open_webui/routers/knowledge.py:972-1035` (`add_files_to_knowledge_by_id_batch`) check the caller's *write access to the knowledge base* but never validate the caller's access to the `file_id` being attached. Because `has_access_to_file(..., user)` returns True for any file linked to a KB the caller owns, attaching a victim's `file_id` to an attacker-owned KB silently unlocks read **and** write on that file through `/api/v1/files/{id}/content` and `/api/v1/files/{id}/data/content/update`. This is a stronger variant than Path 1 — full read AND overwrite, persisted, no cleanup pass to mitigate. ## Proof of concept ### Path 1 (folder knowledge) ```bash # Attacker writes victim file_id into their own folder curl -X POST http://target/api/v1/folders/<attacker_folder_id>/update \ -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \ -d "{\"data\": {\"files\": [{\"id\": \"$VICTIM_FILE_ID\", \"type\": \"file\"}]}}" # Attacker chats in that folder — victim file becomes RAG context curl -X POST http://target/api/chat/completions \ -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \ -d "{\"model\":\"any\",\"messages\":[{\"role\":\"user\",\"content\":\"summarise my uploaded document\"}],\"folder_id\":\"<attacker_folder_id>\"}" ``` ### Path 2 (knowledge-base attach) ``` # Attacker creates own KB KB=$(curl -s -X POST http://target/api/v1/knowledge/create \ -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \ -d '{"name":"x","description":"x","data":{}}' | jq -r .id) # Attach victim's file_id — no ownership check curl -X POST http://target/api/v1/knowledge/$KB/file/add \ -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \ -d "{\"file_id\":\"$VICTIM_FILE_ID\"}" # Read victim file through standard files endpoint (now accessible because file is "linked to KB I own") curl http://target/api/v1/files/$VICTIM_FILE_ID/content -H "Authorization: Bearer $ATK" # Overwrite curl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \ -H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \ -d '{"content":"tampered"}' ``` ## Impact - Confidentiality: Any authenticated user can read the contents of any other user's private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage — file IDs appear in chat sources, in shared chats' citations, in URL paths (/workspace/files/<id>), in browser history / referrer headers, and in any export/share flow that surfaces source metadata. - Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim's file content, persisting attacker-controlled text under the victim's file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim's file return the tampered content. - Availability: None directly — file rows are not deleted by these paths. ## Recommended fix Validate the supplied file_id against the caller's read access before attaching, in every writer. ### Credits Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered. MrBeard-FT — first to identify the folder-knowledge ingestion path (Path 1) Classic298 — first to identify the knowledge-base attach path (Path 2 — /knowledge/{id}/file/add and /files/batch/add)

Exploitation Scenario

An attacker with a standard user account on a shared enterprise open-webui deployment discovers a colleague's file UUID from a shared chat where the source citation surfaces file metadata. The attacker creates their own knowledge base via the legitimate API, then POSTs /api/v1/knowledge/{attacker_kb_id}/file/add with the victim's file_id. Because the endpoint validates only write access to the attacker's KB — not ownership of the referenced file — the request succeeds silently, and the victim's confidential document is now accessible through the attacker's context. The attacker calls /api/v1/files/{victim_file_id}/content to retrieve the full plaintext with no LLM involvement. To cover tracks and introduce disinformation into the victim's AI workflows, the attacker then calls /api/v1/files/{victim_file_id}/data/content/update, replacing the document with fabricated content. Every subsequent RAG query against that file — by the victim, their team, or any automated report pipeline — returns the attacker's planted text without any indication of tampering.