CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3251 vulnerabilities reference this CWE, most recent first.
GHSA-R2H2-G46H-8MX8
Vulnerability from github – Published: 2025-12-19 15:31 – Updated: 2025-12-20 17:39Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2025.10.0"
},
{
"fixed": "2025.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "2025.9.0"
},
{
"fixed": "2025.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14881"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-20T17:39:02Z",
"nvd_published_at": "2025-12-19T13:16:01Z",
"severity": "LOW"
},
"details": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.",
"id": "GHSA-r2h2-g46h-8mx8",
"modified": "2025-12-20T17:39:02Z",
"published": "2025-12-19T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14881"
},
{
"type": "WEB",
"url": "https://github.com/pretix/pretix/commit/4b5651862c57c6e384822d1d23292342126c479a"
},
{
"type": "PACKAGE",
"url": "https://github.com/pretix/pretix"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20251219-release-2025-10-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "pretix has Broken Access Control Allowing Cross-User File Access via UUID"
}
GHSA-R2JV-FWFR-4J8C
Vulnerability from github – Published: 2026-01-27 15:30 – Updated: 2026-01-28 16:15All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "askbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1213"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-28T16:15:51Z",
"nvd_published_at": "2026-01-27T14:15:55Z",
"severity": "MODERATE"
},
"details": "All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2.",
"id": "GHSA-r2jv-fwfr-4j8c",
"modified": "2026-01-28T16:15:51Z",
"published": "2026-01-27T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1213"
},
{
"type": "WEB",
"url": "https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d"
},
{
"type": "WEB",
"url": "https://askbot.com"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/ghost"
},
{
"type": "PACKAGE",
"url": "https://github.com/askbot/askbot-devel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "askbot inexhaustive permissions check allows any user to modify a different user\u0027s profile picture"
}
GHSA-R2M5-9RWX-269R
Vulnerability from github – Published: 2026-05-05 21:31 – Updated: 2026-06-22 18:34Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.
{
"affected": [],
"aliases": [
"CVE-2026-41950"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T21:16:23Z",
"severity": "MODERATE"
},
"details": "Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.",
"id": "GHSA-r2m5-9rwx-269r",
"modified": "2026-06-22T18:34:00Z",
"published": "2026-05-05T21:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41950"
},
{
"type": "WEB",
"url": "https://github.com/langgenius/dify/releases/tag/1.14.0"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid"
},
{
"type": "WEB",
"url": "https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R2XX-GPRX-Q489
Vulnerability from github – Published: 2024-03-29 15:30 – Updated: 2026-04-28 21:34Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7.
{
"affected": [],
"aliases": [
"CVE-2024-30507"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-29T15:15:14Z",
"severity": "LOW"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7.",
"id": "GHSA-r2xx-gprx-q489",
"modified": "2026-04-28T21:34:25Z",
"published": "2024-03-29T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30507"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/molongui-authorship/wordpress-molongui-authorship-plugin-4-7-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R345-X8HR-2R9P
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2023-11-15 20:26An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "airesvsg/acf-to-rest-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13700"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-15T20:26:56Z",
"nvd_published_at": "2020-06-24T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a `wp-json/acf/v3/options/` request that reads sensitive information in the `wp_options` table, such as the login and pass values.",
"id": "GHSA-r345-x8hr-2r9p",
"modified": "2023-11-15T20:26:56Z",
"published": "2022-05-24T17:21:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13700"
},
{
"type": "WEB",
"url": "https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5"
},
{
"type": "PACKAGE",
"url": "https://github.com/airesvsg/acf-to-rest-api"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/acf-to-rest-api/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation"
}
GHSA-R3V6-QW6X-WF6H
Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-23 15:32MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization.
The affected paths included:
-
Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report
-
Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own.
- Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData ownership check, enabling cross-organization overwrite of analyst data records.
- Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element’s actual parent template, enabling unauthorized edits to another organization’s template elements.
- Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization.
Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.
{
"affected": [],
"aliases": [
"CVE-2026-56424"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T14:17:50Z",
"severity": "HIGH"
},
"details": "MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user\u2019s organization.\n\n\nThe affected paths included:\n\n * Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report\n\n\n\n\n * Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element\u2019s actual parent collection, enabling deletion of elements from collections the user did not own.\n * Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData\u00a0ownership check, enabling cross-organization overwrite of analyst data records.\n * Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element\u2019s actual parent template, enabling unauthorized edits to another organization\u2019s template elements.\n * Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization.\u00a0\n\n\n\n\n\n\n\n\nSuccessful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.",
"id": "GHSA-r3v6-qw6x-wf6h",
"modified": "2026-06-23T15:32:31Z",
"published": "2026-06-22T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56424"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/24d7e91339a3ef043652dd5799c36e5065b2bb4a"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/3aecc04d5816189412b589cf590c6dbe9a8db5c0"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/57ad774d21bd1863d060a9e6e73ae54eb96784ce"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/744005cefdc3b943bd29669c3b34cc66a5fc2154"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/ba2f51fe7440ba2c6043ccde858cac1e25f96931"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R3WV-XR72-34X9
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 15:30Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 3.0.3.
{
"affected": [],
"aliases": [
"CVE-2026-32535"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:17:07Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through \u003c= 3.0.3.",
"id": "GHSA-r3wv-xr72-34x9",
"modified": "2026-03-26T15:30:34Z",
"published": "2026-03-25T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32535"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R472-MW7M-967F
Vulnerability from github – Published: 2026-05-14 20:27 – Updated: 2026-05-15 23:55Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
Summary
Multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID.
Affected code paths
Path 1 — Folder knowledge ingestion via folders.update
backend/open_webui/routers/folders.py:156 — POST /api/v1/folders/{id}/update accepts a FolderUpdateForm whose data: Optional[dict] field is written verbatim into the folder. The folder consumer at backend/open_webui/utils/middleware.py:2409 spreads folder.data['files'] directly into form_data['files'] for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) — only the folder list endpoint (folders.py:78-94) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim's file UUID can write data: {"files": [{"id": "<victim>", "type": "file"}]} into their own folder, immediately chat in that folder, and have the LLM return the victim's document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened.
Path 2 — Knowledge-base attach via knowledge.{id}/file/add and knowledge.{id}/files/batch/add
backend/open_webui/routers/knowledge.py:616-669 (add_file_to_knowledge_by_id) and backend/open_webui/routers/knowledge.py:972-1035 (add_files_to_knowledge_by_id_batch) check the caller's write access to the knowledge base but never validate the caller's access to the file_id being attached. Because has_access_to_file(..., user) returns True for any file linked to a KB the caller owns, attaching a victim's file_id to an attacker-owned KB silently unlocks read and write on that file through /api/v1/files/{id}/content and /api/v1/files/{id}/data/content/update. This is a stronger variant than Path 1 — full read AND overwrite, persisted, no cleanup pass to mitigate.
Proof of concept
Path 1 (folder knowledge)
# Attacker writes victim file_id into their own folder
curl -X POST http://target/api/v1/folders/<attacker_folder_id>/update \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d "{\"data\": {\"files\": [{\"id\": \"$VICTIM_FILE_ID\", \"type\": \"file\"}]}}"
# Attacker chats in that folder — victim file becomes RAG context
curl -X POST http://target/api/chat/completions \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d "{\"model\":\"any\",\"messages\":[{\"role\":\"user\",\"content\":\"summarise my uploaded document\"}],\"folder_id\":\"<attacker_folder_id>\"}"
Path 2 (knowledge-base attach)
# Attacker creates own KB
KB=$(curl -s -X POST http://target/api/v1/knowledge/create \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d '{"name":"x","description":"x","data":{}}' | jq -r .id)
# Attach victim's file_id — no ownership check
curl -X POST http://target/api/v1/knowledge/$KB/file/add \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d "{\"file_id\":\"$VICTIM_FILE_ID\"}"
# Read victim file through standard files endpoint (now accessible because file is "linked to KB I own")
curl http://target/api/v1/files/$VICTIM_FILE_ID/content -H "Authorization: Bearer $ATK"
# Overwrite
curl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \
-H "Authorization: Bearer $ATK" -H "Content-Type: application/json" \
-d '{"content":"tampered"}'
Impact
- Confidentiality: Any authenticated user can read the contents of any other user's private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage — file IDs appear in chat sources, in shared chats' citations, in URL paths (/workspace/files/), in browser history / referrer headers, and in any export/share flow that surfaces source metadata.
- Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim's file content, persisting attacker-controlled text under the victim's file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim's file return the tampered content.
- Availability: None directly — file rows are not deleted by these paths.
Recommended fix
Validate the supplied file_id against the caller's read access before attaching, in every writer.
Credits
Per the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.
MrBeard-FT — first to identify the folder-knowledge ingestion path (Path 1) Classic298 — first to identify the knowledge-base attach path (Path 2 — /knowledge/{id}/file/add and /files/batch/add)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.4"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45402"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:27:35Z",
"nvd_published_at": "2026-05-15T21:16:38Z",
"severity": "HIGH"
},
"details": "# Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints\n\n## Summary\n\nMultiple endpoints accept a user-supplied `file_id` and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file\u0027s content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user\u0027s private file \u2014 and on the knowledge-base path, also to overwrite it \u2014 given knowledge of the file\u0027s UUID.\n\n## Affected code paths\n\n### Path 1 \u2014 Folder knowledge ingestion via `folders.update`\n\n`backend/open_webui/routers/folders.py:156` \u2014 `POST /api/v1/folders/{id}/update` accepts a `FolderUpdateForm` whose `data: Optional[dict]` field is written verbatim into the folder. The folder consumer at `backend/open_webui/utils/middleware.py:2409` spreads `folder.data[\u0027files\u0027]` directly into `form_data[\u0027files\u0027]` for the next chat completion, which becomes RAG context. There is no per-file ownership check at the writer (the update handler) and no per-file ownership check at the reader (the middleware folder consumer) \u2014 only the *folder list* endpoint (`folders.py:78-94`) cleans up by stripping inaccessible files, and that runs lazily at folder-list time rather than at chat time. An attacker with a victim\u0027s file UUID can write `data: {\"files\": [{\"id\": \"\u003cvictim\u003e\", \"type\": \"file\"}]}` into their own folder, immediately chat in that folder, and have the LLM return the victim\u0027s document content via RAG. The cleanup pass strips the file from persistence later, but the exfiltration has already happened.\n\n### Path 2 \u2014 Knowledge-base attach via `knowledge.{id}/file/add` and `knowledge.{id}/files/batch/add`\n\n`backend/open_webui/routers/knowledge.py:616-669` (`add_file_to_knowledge_by_id`) and `backend/open_webui/routers/knowledge.py:972-1035` (`add_files_to_knowledge_by_id_batch`) check the caller\u0027s *write access to the knowledge base* but never validate the caller\u0027s access to the `file_id` being attached. Because `has_access_to_file(..., user)` returns True for any file linked to a KB the caller owns, attaching a victim\u0027s `file_id` to an attacker-owned KB silently unlocks read **and** write on that file through `/api/v1/files/{id}/content` and `/api/v1/files/{id}/data/content/update`. This is a stronger variant than Path 1 \u2014 full read AND overwrite, persisted, no cleanup pass to mitigate.\n\n## Proof of concept\n\n### Path 1 (folder knowledge)\n```bash\n# Attacker writes victim file_id into their own folder\ncurl -X POST http://target/api/v1/folders/\u003cattacker_folder_id\u003e/update \\\n -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n -d \"{\\\"data\\\": {\\\"files\\\": [{\\\"id\\\": \\\"$VICTIM_FILE_ID\\\", \\\"type\\\": \\\"file\\\"}]}}\"\n\n# Attacker chats in that folder \u2014 victim file becomes RAG context\ncurl -X POST http://target/api/chat/completions \\\n -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n -d \"{\\\"model\\\":\\\"any\\\",\\\"messages\\\":[{\\\"role\\\":\\\"user\\\",\\\"content\\\":\\\"summarise my uploaded document\\\"}],\\\"folder_id\\\":\\\"\u003cattacker_folder_id\u003e\\\"}\"\n```\n \n### Path 2 (knowledge-base attach)\n\n```\n# Attacker creates own KB\nKB=$(curl -s -X POST http://target/api/v1/knowledge/create \\\n -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n -d \u0027{\"name\":\"x\",\"description\":\"x\",\"data\":{}}\u0027 | jq -r .id)\n\n# Attach victim\u0027s file_id \u2014 no ownership check\ncurl -X POST http://target/api/v1/knowledge/$KB/file/add \\\n -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n -d \"{\\\"file_id\\\":\\\"$VICTIM_FILE_ID\\\"}\"\n\n# Read victim file through standard files endpoint (now accessible because file is \"linked to KB I own\")\ncurl http://target/api/v1/files/$VICTIM_FILE_ID/content -H \"Authorization: Bearer $ATK\"\n\n# Overwrite\ncurl -X POST http://target/api/v1/files/$VICTIM_FILE_ID/data/content/update \\\n -H \"Authorization: Bearer $ATK\" -H \"Content-Type: application/json\" \\\n -d \u0027{\"content\":\"tampered\"}\u0027\n```\n\n## Impact\n\n- Confidentiality: Any authenticated user can read the contents of any other user\u0027s private uploaded file, given knowledge of the file UUID. UUIDs are V4 (not enumerable in practice) but leak through normal usage \u2014 file IDs appear in chat sources, in shared chats\u0027 citations, in URL paths (/workspace/files/\u003cid\u003e), in browser history / referrer headers, and in any export/share flow that surfaces source metadata.\n- Integrity: Path 2 (knowledge attach) additionally allows the attacker to overwrite the victim\u0027s file content, persisting attacker-controlled text under the victim\u0027s file_id. Subsequent reads by the victim or by any RAG flow that ingests the victim\u0027s file return the tampered content.\n- Availability: None directly \u2014 file rows are not deleted by these paths.\n\n## Recommended fix\n\nValidate the supplied file_id against the caller\u0027s read access before attaching, in every writer.\n\n### Credits\n\nPer the consolidation rule in SECURITY.md, credit goes only to reporters who FIRST identified a distinct sub-path that no earlier filing covered.\n\nMrBeard-FT \u2014 first to identify the folder-knowledge ingestion path (Path 1)\nClassic298 \u2014 first to identify the knowledge-base attach path (Path 2 \u2014 /knowledge/{id}/file/add and /files/batch/add)",
"id": "GHSA-r472-mw7m-967f",
"modified": "2026-05-15T23:55:40Z",
"published": "2026-05-14T20:27:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45402"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints"
}
GHSA-R48Q-9G5R-8Q2H
Vulnerability from github – Published: 2022-06-09 00:00 – Updated: 2022-06-17 18:18Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/emicklei/go-restful/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/emicklei/go-restful"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.16.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/emicklei/go-restful/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1996"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-09T23:50:21Z",
"nvd_published_at": "2022-06-08T13:15:00Z",
"severity": "CRITICAL"
},
"details": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
"id": "GHSA-r48q-9g5r-8q2h",
"modified": "2022-06-17T18:18:04Z",
"published": "2022-06-09T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1996"
},
{
"type": "WEB",
"url": "https://github.com/emicklei/go-restful/issues/489"
},
{
"type": "WEB",
"url": "https://github.com/emicklei/go-restful/commit/926662532deb450272956c7bc573978464aae74e"
},
{
"type": "WEB",
"url": "https://github.com/emicklei/go-restful/commit/f292efff46ae17e9d104f865a60a39a2ae9402f1"
},
{
"type": "WEB",
"url": "https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220923-0005"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0619"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGQKWD6SE75PFBPFVSZYAKAVXKBZXKWS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W56PP46JVZEKCANBKXFKRVSBBRRMCY6V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SO5QC2JFW2PXBWAE27OYYYL5SPFUBHTY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBDD3Q23RCGAGHIXUCWBU6N3S4RNAKXB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/575BLJ3Y2EQBRNTFR2OSQQ6L2W6UCST3"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/emicklei/go-restful"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass Through User-Controlled Key in go-restful"
}
GHSA-R4G7-M54C-6F4W
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-06-06 09:31Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328.
{
"affected": [],
"aliases": [
"CVE-2025-0875"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T08:15:33Z",
"severity": "MODERATE"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328.",
"id": "GHSA-r4g7-m54c-6f4w",
"modified": "2026-06-06T09:31:14Z",
"published": "2025-09-22T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0875"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0282"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0282"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.