Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file — CVE-2026-45301
GitHub · GitHub · CVE-2026-45301
ID
CVE-2026-45301
CVE-2026-45301
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.1
8.1
EPSS
0.00028
0.00028
Summary
### Summary A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. ### Details All `files/` related endpoints lack permission checks. #### Listing all files For example, let's see how file listing is implemented:…
Product
pip: open-webui
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.