CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3251 vulnerabilities reference this CWE, most recent first.
GHSA-259M-56QF-8WC5
Vulnerability from github – Published: 2024-04-30 21:30 – Updated: 2024-07-03 18:37Arbitrary File Read vulnerability in novel-plus 4.3.0 and before allows a remote attacker to obtain sensitive information via a crafted GET request using the filePath parameter.
{
"affected": [],
"aliases": [
"CVE-2024-33383"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-30T20:15:08Z",
"severity": "HIGH"
},
"details": "Arbitrary File Read vulnerability in novel-plus 4.3.0 and before allows a remote attacker to obtain sensitive information via a crafted GET request using the filePath parameter.",
"id": "GHSA-259m-56qf-8wc5",
"modified": "2024-07-03T18:37:55Z",
"published": "2024-04-30T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33383"
},
{
"type": "WEB",
"url": "https://juvl1ne.github.io/2024/04/18/novel-plus-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-259M-9WGG-GMJW
Vulnerability from github – Published: 2022-10-21 12:00 – Updated: 2022-10-21 19:01Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.
{
"affected": [],
"aliases": [
"CVE-2022-36966"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-20T21:15:00Z",
"severity": "MODERATE"
},
"details": "Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.",
"id": "GHSA-259m-9wgg-gmjw",
"modified": "2022-10-21T19:01:09Z",
"published": "2022-10-21T12:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36966"
},
{
"type": "WEB",
"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-4_release_notes.htm"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36966"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-25F8-P6JG-JQW6
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:52Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter).
{
"affected": [],
"aliases": [
"CVE-2019-12742"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-05T16:29:00Z",
"severity": "HIGH"
},
"details": "Bludit prior to 3.9.1 allows a non-privileged user to change the password of any account, including admin. This occurs because of bl-kernel/admin/controllers/user-password.php Insecure Direct Object Reference (a modified username POST parameter).",
"id": "GHSA-25f8-p6jg-jqw6",
"modified": "2024-04-04T00:52:38Z",
"published": "2022-05-24T16:47:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12742"
},
{
"type": "WEB",
"url": "https://github.com/bludit/bludit/commit/a1bb333153fa8ba29a88cfba423d810f509a2b37"
},
{
"type": "WEB",
"url": "https://github.com/bludit/bludit/releases/tag/3.9.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25FX-MXC2-76G7
Vulnerability from github – Published: 2021-10-06 17:49 – Updated: 2022-08-15 20:11Impact
URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to access for anyone, not even the order's customer. The problem was, the Credit card form has prefilled "credit card holder" field with the Customer's first and last name.
Additionally, the mentioned form did not require a 3D Secure authentication, as well as did not checked the result of the 3D Secure authentication.
Patches
The problem has been patched in Sylius/PayPalPlugin 1.2.4 and 1.3.1
Workarounds
One can override a sylius_paypal_plugin_pay_with_paypal_form route and change its URL parameters to (for example) {orderToken}/{paymentId}, then override the Sylius\PayPalPlugin\Controller\PayWithPayPalFormAction service, to operate on the payment taken from the repository by these 2 values. It would also require usage of custom repository method.
Additionally, one could override the @SyliusPayPalPlugin/payWithPaypal.html.twig template, to add contingencies: ['SCA_ALWAYS'] line in hostedFields.submit(...) function call (line 421). It would then have to be handled in the function callback.
For more information
If you have any questions or comments about this advisory: - Open an issue in Sylius/PayPalPlugin issues - Email us at security at sylius dot com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/paypal-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/paypal-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41120"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-05T21:12:27Z",
"nvd_published_at": "2021-10-05T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nURL to the payment page done after checkout was created with autoincremented payment id (`/pay-with-paypal/{id}`) and therefore it was easy to access for anyone, not even the order\u0027s customer. The problem was, the Credit card form has prefilled \"credit card holder\" field with the Customer\u0027s first and last name.\nAdditionally, the mentioned form did not require a 3D Secure authentication, as well as did not checked the result of the 3D Secure authentication.\n\n### Patches\nThe problem has been patched in Sylius/PayPalPlugin **1.2.4** and **1.3.1**\n\n### Workarounds\nOne can override a `sylius_paypal_plugin_pay_with_paypal_form` route and change its URL parameters to (for example) `{orderToken}/{paymentId}`, then override the `Sylius\\PayPalPlugin\\Controller\\PayWithPayPalFormAction` service, to operate on the payment taken from the repository by these 2 values. It would also require usage of custom repository method.\nAdditionally, one could override the `@SyliusPayPalPlugin/payWithPaypal.html.twig` template, to add `contingencies: [\u0027SCA_ALWAYS\u0027]` line in `hostedFields.submit(...)` function call (line 421). It would then have to be handled in the function callback.\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Open an issue in Sylius/PayPalPlugin issues\n- Email us at security at sylius dot com\n",
"id": "GHSA-25fx-mxc2-76g7",
"modified": "2022-08-15T20:11:12Z",
"published": "2021-10-06T17:49:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-25fx-mxc2-76g7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41120"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/commit/2adc46be2764ccee22b4247139b8056fb8d1afff"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/PayPalPlugin/commit/814923c2e9d97fe6279dcee866c34ced3d2fb7a7"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/PayPalPlugin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sylius PayPal Plugin allows unauthorized access to Credit card form, exposing payer name and not requiring 3DS"
}
GHSA-25JM-89CM-8Q44
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-07-30 00:00The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature
{
"affected": [],
"aliases": [
"CVE-2021-24739"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T09:15:00Z",
"severity": "HIGH"
},
"details": "The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature",
"id": "GHSA-25jm-89cm-8q44",
"modified": "2022-07-30T00:00:40Z",
"published": "2021-12-22T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24739"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/2afadc76-93ad-47e1-a224-e442ac41cbce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-25V3-3WW8-WR27
Vulnerability from github – Published: 2022-11-28 15:30 – Updated: 2022-11-30 06:30The Awesome Support WordPress plugin before 6.1.2 does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector
{
"affected": [],
"aliases": [
"CVE-2022-3511"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "The Awesome Support WordPress plugin before 6.1.2 does not ensure that the exported tickets archive to be downloaded belongs to the user making the request, allowing a low privileged user, such as subscriber to download arbitrary exported tickets via an IDOR vector",
"id": "GHSA-25v3-3ww8-wr27",
"modified": "2022-11-30T06:30:27Z",
"published": "2022-11-28T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3511"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/9e57285a-0023-4711-874c-6e7b3c2673d1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-25VJ-QM23-FX63
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2021-24840"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-08T18:15:00Z",
"severity": "MODERATE"
},
"details": "The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.",
"id": "GHSA-25vj-qm23-fx63",
"modified": "2022-05-24T19:19:57Z",
"published": "2022-05-24T19:19:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24840"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/971302fd-4e8b-4c6a-818f-3a42c7fb83ef"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-25WW-MHX2-69FF
Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-10-22 15:31An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelectionNetworks.asp.
{
"affected": [],
"aliases": [
"CVE-2025-40659"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T10:15:28Z",
"severity": "MODERATE"
},
"details": "An Insecure Direct Object Reference (IDOR) vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to access the private area setting the\u00a0option parameter equal to 0, 1 or 2 in /administer/selectionnode/framesSelectionNetworks.asp.",
"id": "GHSA-25ww-mhx2-69ff",
"modified": "2025-10-22T15:31:04Z",
"published": "2025-06-10T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40659"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dm-corporative-cms-dmacroweb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-26G6-6369-5JMC
Vulnerability from github – Published: 2025-04-23 12:31 – Updated: 2025-04-23 12:31This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to gain unauthorized access to other user accounts.
Successful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts.
{
"affected": [],
"aliases": [
"CVE-2025-42605"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-23T11:15:47Z",
"severity": "CRITICAL"
},
"details": "This vulnerability exists in Meon Bidding Solutions due to improper authorization controls on certain API endpoints for the initiation, modification, or cancellation operations. An authenticated remote attacker could exploit this vulnerability by manipulating parameter in the API request body to gain unauthorized access to other user accounts.\n\nSuccessful exploitation of this vulnerability could allow remote attacker to perform authorized manipulation of data associated with other user accounts.",
"id": "GHSA-26g6-6369-5jmc",
"modified": "2025-04-23T12:31:25Z",
"published": "2025-04-23T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42605"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-26G9-27VM-X3Q8
Vulnerability from github – Published: 2026-05-14 20:28 – Updated: 2026-05-15 23:54Summary
Any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files.
Details
The root cause is in has_access_to_file() in backend/open_webui/routers/files.py.
When a user calls DELETE /api/v1/files/{file_id}, the endpoint delegates authorization to has_access_to_file(file_id, access_type="write", user=requesting_user). Inside that function, one branch checks whether the file is referenced in any shared chat:
chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
if chats:
return True
This branch has two missing checks:
- No user check: It asks "does any shared chat anywhere reference this file?", not "does the requesting user own or participate in that chat." Any authenticated user passes this check.
- No operation check: The
access_typeparameter ("write"for delete) is accepted but never inspected. The branch returnsTrueregardless of whether the caller is requesting read access or delete access.
The result: if any user has shared any chat that references a file, that file becomes deletable by every authenticated user on the instance.
The delete endpoint has no secondary ownership check (unlike the content-update endpoint), so this authorization bypass leads directly to permanent file removal from the database, disk, and all knowledge base associations.
How an attacker obtains file UUIDs:
UUIDs are impractical to brute-force, but they don't need to be. Any user with read access to a knowledge base can retrieve the file IDs of every document in it via GET /api/v1/knowledge/{id}/files. In deployments where knowledge bases are shared across teams (a common and intended use case), this gives any regular user a list of valid file UUIDs they can target.
Suggested fix: gate the shared-chat branch on access_type so it only authorizes read operations:
if access_type == "read":
chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
if chats:
return True
Classification:
- CWE-639: Authorization Bypass Through User-Controlled Key
- OWASP API1:2023: Broken Object Level Authorization
- CVSS 3.1: 5.7 — AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Tested on Open WebUI 0.8.3 using a default Docker configuration.
PoC
Prerequisites:
- Default Open WebUI installation (Docker: ghcr.io/open-webui/open-webui:main)
- Two user accounts: a victim (any role) and an attacker (role: user)
Setup (victim): 1. Log in as the victim 2. Create a knowledge base and upload a document 3. Start a new chat, attach the KB file, and send a message 4. Share the chat using the share button
Obtaining the file UUID (attacker):
If the attacker has read access to the knowledge base (e.g. a shared team KB), the file UUID is available via:
GET /api/v1/knowledge/{kb_id}/files
This returns metadata for all files in the KB, including their UUIDs.
Exploit (attacker):
python3 poc.py --url http://<host>:3000 --file-id <target-file-uuid> -t <attacker-jwt>
The PoC script (attached as poc.py):
1. Authenticates as the attacker
2. Confirms the target file is accessible via GET /api/v1/files/{id}/data/content
3. Deletes the file via DELETE /api/v1/files/{id}
4. Verifies permanent deletion (HTTP 404 on subsequent GET)
No special tooling is required — the script uses only Python 3 standard library (urllib).
Impact
Who is affected: Any multi-user Open WebUI deployment where chat sharing is enabled (the default). The attacker needs a valid account (any role) and a target file UUID, which is available through any shared knowledge base.
What can happen: - Permanent data destruction: The file is removed from the database, disk, and all knowledge base associations with no recovery mechanism. - Knowledge base degradation: If the file was part of a RAG knowledge base, that KB silently loses the document with no user-facing indication that content is missing. - No audit trail: The delete operation does not record which user performed it.
Sharing a chat is a routine collaboration action. The current behavior means that doing so inadvertently makes every referenced file deletable by any authenticated user on the instance.
Disclaimer on the use of AI powered tools
The research and reporting related to this vulnerability was aided by AI tools.
Scope clarification
The root cause is the has_access_to_file() shared-chat branch returning True regardless of access_type or requesting user. The original PoC demonstrates DELETE (access_type='write'), but the same gate is what authorizes the read (GET /api/v1/files/{id}, GET /api/v1/files/{id}/content) and modify (POST /api/v1/files/{id}/data/content/update) endpoints. All three access modes are bypassed by the same function gap, so the practical impact is read + modify + delete on any file referenced by any shared chat.
Resolution
Fixed in commit 2e52ad8ff ("refac: shared chat"), first released in v0.9.0 (Apr 2026). The shared-chat feature was refactored to introduce a dedicated shared_chats table and gate shared-chat access through AccessGrants (resource_type='shared_chat'). has_access_to_file() (now in backend/open_webui/utils/access_control/files.py:68-80) calls AccessGrants.get_accessible_resource_ids to filter the shared-chat IDs to only those the requesting user has an explicit grant on — ownership, group membership, or public share — before returning True
The new gate is permission-aware ('read' here) and user-aware, closing both the "any user passes" issue and the "access_type ignored" issue. Users on >= 0.9.0 are not affected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.12"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45671"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:28:34Z",
"nvd_published_at": "2026-05-15T20:16:49Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAny authenticated user can permanently delete files owned by other users via `DELETE /api/v1/files/{id}` when the target file is referenced in any shared chat. The `has_access_to_file()` authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user\u0027s identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via `GET /api/v1/knowledge/{id}/files`.\n\n### Details\n\nThe root cause is in `has_access_to_file()` in [backend/open_webui/routers/files.py](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/files.py).\n\nWhen a user calls `DELETE /api/v1/files/{file_id}`, the endpoint delegates authorization to `has_access_to_file(file_id, access_type=\"write\", user=requesting_user)`. Inside that function, one branch checks whether the file is referenced in any shared chat:\n\n```python\nchats = Chats.get_shared_chats_by_file_id(file_id, db=db)\nif chats:\n return True\n```\n\nThis branch has two missing checks:\n\n1. **No user check:** It asks \"does any shared chat anywhere reference this file?\", not \"does the requesting user own or participate in that chat.\" Any authenticated user passes this check.\n2. **No operation check:** The `access_type` parameter (`\"write\"` for delete) is accepted but never inspected. The branch returns `True` regardless of whether the caller is requesting read access or delete access.\n\nThe result: if any user has shared any chat that references a file, that file becomes deletable by every authenticated user on the instance.\n\nThe delete endpoint has no secondary ownership check (unlike the content-update endpoint), so this authorization bypass leads directly to permanent file removal from the database, disk, and all knowledge base associations.\n\n**How an attacker obtains file UUIDs:**\n\nUUIDs are impractical to brute-force, but they don\u0027t need to be. Any user with read access to a knowledge base can retrieve the file IDs of every document in it via `GET /api/v1/knowledge/{id}/files`. In deployments where knowledge bases are shared across teams (a common and intended use case), this gives any regular user a list of valid file UUIDs they can target.\n\n**Suggested fix**: gate the shared-chat branch on `access_type` so it only authorizes read operations:\n\n```python\nif access_type == \"read\":\n chats = Chats.get_shared_chats_by_file_id(file_id, db=db)\n if chats:\n return True\n```\n\n**Classification:**\n- CWE-639: Authorization Bypass Through User-Controlled Key\n- OWASP API1:2023: Broken Object Level Authorization\n- CVSS 3.1: 5.7 \u2014 `AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H`\n\nTested on Open WebUI **0.8.3** using a default Docker configuration.\n\n### PoC\n\n**Prerequisites:**\n- Default Open WebUI installation (Docker: `ghcr.io/open-webui/open-webui:main`)\n- Two user accounts: a victim (any role) and an attacker (role: `user`)\n\n**Setup (victim):**\n1. Log in as the victim\n2. Create a knowledge base and upload a document\n3. Start a new chat, attach the KB file, and send a message\n4. Share the chat using the share button\n\n**Obtaining the file UUID (attacker):**\n\nIf the attacker has read access to the knowledge base (e.g. a shared team KB), the file UUID is available via:\n\n```\nGET /api/v1/knowledge/{kb_id}/files\n```\n\nThis returns metadata for all files in the KB, including their UUIDs.\n\n**Exploit (attacker):**\n\n```bash\npython3 poc.py --url http://\u003chost\u003e:3000 --file-id \u003ctarget-file-uuid\u003e -t \u003cattacker-jwt\u003e\n```\n\nThe PoC script (attached as `poc.py`):\n1. Authenticates as the attacker\n2. Confirms the target file is accessible via `GET /api/v1/files/{id}/data/content`\n3. Deletes the file via `DELETE /api/v1/files/{id}`\n4. Verifies permanent deletion (HTTP 404 on subsequent GET)\n\nNo special tooling is required \u2014 the script uses only Python 3 standard library (`urllib`).\n\n### Impact\n\n**Who is affected:** Any multi-user Open WebUI deployment where chat sharing is enabled (the default). The attacker needs a valid account (any role) and a target file UUID, which is available through any shared knowledge base.\n\n**What can happen:**\n- **Permanent data destruction:** The file is removed from the database, disk, and all knowledge base associations with no recovery mechanism.\n- **Knowledge base degradation:** If the file was part of a RAG knowledge base, that KB silently loses the document with no user-facing indication that content is missing.\n- **No audit trail:** The delete operation does not record which user performed it.\n\nSharing a chat is a routine collaboration action. The current behavior means that doing so inadvertently makes every referenced file deletable by any authenticated user on the instance.\n\n### Disclaimer on the use of AI powered tools \n\nThe research and reporting related to this vulnerability was aided by AI tools. \n\n## Scope clarification\n\nThe root cause is the `has_access_to_file()` shared-chat branch returning `True` regardless of `access_type` or requesting user. The original PoC demonstrates DELETE (`access_type=\u0027write\u0027`), but the same gate is what authorizes the read (`GET /api/v1/files/{id}`, `GET /api/v1/files/{id}/content`) and modify (`POST /api/v1/files/{id}/data/content/update`) endpoints. All three access modes are bypassed by the same function gap, so the practical impact is read + modify + delete on any file referenced by any shared chat.\n\n## Resolution\n\nFixed in commit [2e52ad8ff](https://github.com/open-webui/open-webui/commit/2e52ad8ff2f8d9ed9f38f76e9bc19c8f92d91fc3) (\"refac: shared chat\"), first released in **v0.9.0** (Apr 2026). The shared-chat feature was refactored to introduce a dedicated `shared_chats` table and gate shared-chat access through `AccessGrants` (`resource_type=\u0027shared_chat\u0027`). `has_access_to_file()` (now in `backend/open_webui/utils/access_control/files.py:68-80`) calls `AccessGrants.get_accessible_resource_ids` to filter the shared-chat IDs to only those the requesting user has an explicit grant on \u2014 ownership, group membership, or public share \u2014 before returning `True`\n\nThe new gate is permission-aware (\u0027read\u0027 here) and user-aware, closing both the \"any user passes\" issue and the \"access_type ignored\" issue. Users on \u003e= 0.9.0 are not affected.",
"id": "GHSA-26g9-27vm-x3q8",
"modified": "2026-05-15T23:54:57Z",
"published": "2026-05-14T20:28:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26g9-27vm-x3q8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45671"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/commit/2e52ad8ff2f8d9ed9f38f76e9bc19c8f92d91fc3"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.