CVE-2026-29070

Medium CVSS: 5.4

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.

Vendor

Openwebui

Product

Open Webui

CWE

CWE-862

Yayın Tarihi

2026-03-27 00:16:22

Güncelleme

2026-04-01 16:10:43

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-862 Open Webui MEDIUM Openwebui 2026

Referanslar

https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf

Benzer Kayıtlar

Medium

CVE-2026-28786

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-28788

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

Low

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.…

High

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.…

High

CVE-2026-26193

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.…

High

CVE-2026-0765

Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerabilit…