CVE-2026-45671

CVE-2026-45671 is a high-severity security vulnerability in open-webui (pip), affecting versions <= 0.8.12. It is fixed in 0.9.0.

Summary

Any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files.

Details

The root cause is in has_access_to_file() in backend/open_webui/routers/files.py.

When a user calls DELETE /api/v1/files/{file_id}, the endpoint delegates authorization to has_access_to_file(file_id, access_type="write", user=requesting_user). Inside that function, one branch checks whether the file is referenced in any shared chat:

chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
if chats:
    return True

This branch has two missing checks:

  1. No user check: It asks "does any shared chat anywhere reference this file?", not "does the requesting user own or participate in that chat." Any authenticated user passes this check.
  2. No operation check: The access_type parameter ("write" for delete) is accepted but never inspected. The branch returns True regardless of whether the caller is requesting read access or delete access.

The result: if any user has shared any chat that references a file, that file becomes deletable by every authenticated user on the instance.

The delete endpoint has no secondary ownership check (unlike the content-update endpoint), so this authorization bypass leads directly to permanent file removal from the database, disk, and all knowledge base associations.

How an attacker obtains file UUIDs:

UUIDs are impractical to brute-force, but they don't need to be. Any user with read access to a knowledge base can retrieve the file IDs of every document in it via GET /api/v1/knowledge/{id}/files. In deployments where knowledge bases are shared across teams (a common and intended use case), this gives any regular user a list of valid file UUIDs they can target.

Suggested fix: gate the shared-chat branch on access_type so it only authorizes read operations:

if access_type == "read":
    chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
    if chats:
        return True

Classification:

  • CWE-639: Authorization Bypass Through User-Controlled Key
  • OWASP API1:2023: Broken Object Level Authorization
  • CVSS 3.1: 5.7, AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Tested on Open WebUI 0.8.3 using a default Docker configuration.

PoC

Prerequisites:

  • Default Open WebUI installation (Docker: ghcr.io/open-webui/open-webui:main)
  • Two user accounts: a victim (any role) and an attacker (role: user)

Setup (victim):

  1. Log in as the victim
  2. Create a knowledge base and upload a document
  3. Start a new chat, attach the KB file, and send a message
  4. Share the chat using the share button

Obtaining the file UUID (attacker):

If the attacker has read access to the knowledge base (e.g. a shared team KB), the file UUID is available via:

GET /api/v1/knowledge/{kb_id}/files

This returns metadata for all files in the KB, including their UUIDs.

Exploit (attacker):

python3 poc.py --url http://<host>:3000 --file-id <target-file-uuid> -t <attacker-jwt>

The PoC script (attached as poc.py):

  1. Authenticates as the attacker
  2. Confirms the target file is accessible via GET /api/v1/files/{id}/data/content
  3. Deletes the file via DELETE /api/v1/files/{id}
  4. Verifies permanent deletion (HTTP 404 on subsequent GET)

No special tooling is required, the script uses only Python 3 standard library (urllib).

Disclaimer on the use of AI powered tools

The research and reporting related to this vulnerability was aided by AI tools.

Scope clarification

The root cause is the has_access_to_file() shared-chat branch returning True regardless of access_type or requesting user. The original PoC demonstrates DELETE (access_type='write'), but the same gate is what authorizes the read (GET /api/v1/files/{id}, GET /api/v1/files/{id}/content) and modify (POST /api/v1/files/{id}/data/content/update) endpoints. All three access modes are bypassed by the same function gap, so the practical impact is read + modify + delete on any file referenced by any shared chat.

Resolution

Fixed in commit 2e52ad8ff ("refac: shared chat"), first released in v0.9.0 (Apr 2026). The shared-chat feature was refactored to introduce a dedicated shared_chats table and gate shared-chat access through AccessGrants (resource_type='shared_chat'). has_access_to_file() (now in backend/open_webui/utils/access_control/files.py:68-80) calls AccessGrants.get_accessible_resource_ids to filter the shared-chat IDs to only those the requesting user has an explicit grant on, ownership, group membership, or public share, before returning True

The new gate is permission-aware ('read' here) and user-aware, closing both the "any user passes" issue and the "access_type ignored" issue. Users on >= 0.9.0 are not affected.

Impact

Who is affected: Any multi-user Open WebUI deployment where chat sharing is enabled (the default). The attacker needs a valid account (any role) and a target file UUID, which is available through any shared knowledge base.

What can happen:

  • Permanent data destruction: The file is removed from the database, disk, and all knowledge base associations with no recovery mechanism.
  • Knowledge base degradation: If the file was part of a RAG knowledge base, that KB silently loses the document with no user-facing indication that content is missing.
  • No audit trail: The delete operation does not record which user performed it.

Sharing a chat is a routine collaboration action. The current behavior means that doing so inadvertently makes every referenced file deletable by any authenticated user on the instance.

CVE-2026-45671 has a CVSS score of 8.0 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.0); upgrading removes the vulnerable code path.

Affected versions

open-webui (<= 0.8.12)

Security releases

open-webui → 0.9.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade open-webui to 0.9.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-45671? CVE-2026-45671 is a high-severity security vulnerability in open-webui (pip), affecting versions <= 0.8.12. It is fixed in 0.9.0.
  2. How severe is CVE-2026-45671? CVE-2026-45671 has a CVSS score of 8.0 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of open-webui are affected by CVE-2026-45671? open-webui (pip) versions <= 0.8.12 is affected.
  4. Is there a fix for CVE-2026-45671? Yes. CVE-2026-45671 is fixed in 0.9.0. Upgrade to this version or later.
  5. Is CVE-2026-45671 exploitable, and should I be worried? Whether CVE-2026-45671 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-45671 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-45671? Upgrade open-webui to 0.9.0 or later.

Other vulnerabilities in open-webui

CVE-2026-54022CVE-2026-54021CVE-2026-54019CVE-2026-54018CVE-2026-54017

Stop the waste.
Protect your environment with Kodem.