GHSA-26G9-27VM-X3Q8

Vulnerability from github – Published: 2026-05-14 20:28 – Updated: 2026-05-15 23:54
VLAI
Summary
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
Details

Summary

Any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/{id} when the target file is referenced in any shared chat. The has_access_to_file() authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user's identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files.

Details

The root cause is in has_access_to_file() in backend/open_webui/routers/files.py.

When a user calls DELETE /api/v1/files/{file_id}, the endpoint delegates authorization to has_access_to_file(file_id, access_type="write", user=requesting_user). Inside that function, one branch checks whether the file is referenced in any shared chat:

chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
if chats:
    return True

This branch has two missing checks:

  1. No user check: It asks "does any shared chat anywhere reference this file?", not "does the requesting user own or participate in that chat." Any authenticated user passes this check.
  2. No operation check: The access_type parameter ("write" for delete) is accepted but never inspected. The branch returns True regardless of whether the caller is requesting read access or delete access.

The result: if any user has shared any chat that references a file, that file becomes deletable by every authenticated user on the instance.

The delete endpoint has no secondary ownership check (unlike the content-update endpoint), so this authorization bypass leads directly to permanent file removal from the database, disk, and all knowledge base associations.

How an attacker obtains file UUIDs:

UUIDs are impractical to brute-force, but they don't need to be. Any user with read access to a knowledge base can retrieve the file IDs of every document in it via GET /api/v1/knowledge/{id}/files. In deployments where knowledge bases are shared across teams (a common and intended use case), this gives any regular user a list of valid file UUIDs they can target.

Suggested fix: gate the shared-chat branch on access_type so it only authorizes read operations:

if access_type == "read":
    chats = Chats.get_shared_chats_by_file_id(file_id, db=db)
    if chats:
        return True

Classification: - CWE-639: Authorization Bypass Through User-Controlled Key - OWASP API1:2023: Broken Object Level Authorization - CVSS 3.1: 5.7 — AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Tested on Open WebUI 0.8.3 using a default Docker configuration.

PoC

Prerequisites: - Default Open WebUI installation (Docker: ghcr.io/open-webui/open-webui:main) - Two user accounts: a victim (any role) and an attacker (role: user)

Setup (victim): 1. Log in as the victim 2. Create a knowledge base and upload a document 3. Start a new chat, attach the KB file, and send a message 4. Share the chat using the share button

Obtaining the file UUID (attacker):

If the attacker has read access to the knowledge base (e.g. a shared team KB), the file UUID is available via:

GET /api/v1/knowledge/{kb_id}/files

This returns metadata for all files in the KB, including their UUIDs.

Exploit (attacker):

python3 poc.py --url http://<host>:3000 --file-id <target-file-uuid> -t <attacker-jwt>

The PoC script (attached as poc.py): 1. Authenticates as the attacker 2. Confirms the target file is accessible via GET /api/v1/files/{id}/data/content 3. Deletes the file via DELETE /api/v1/files/{id} 4. Verifies permanent deletion (HTTP 404 on subsequent GET)

No special tooling is required — the script uses only Python 3 standard library (urllib).

Impact

Who is affected: Any multi-user Open WebUI deployment where chat sharing is enabled (the default). The attacker needs a valid account (any role) and a target file UUID, which is available through any shared knowledge base.

What can happen: - Permanent data destruction: The file is removed from the database, disk, and all knowledge base associations with no recovery mechanism. - Knowledge base degradation: If the file was part of a RAG knowledge base, that KB silently loses the document with no user-facing indication that content is missing. - No audit trail: The delete operation does not record which user performed it.

Sharing a chat is a routine collaboration action. The current behavior means that doing so inadvertently makes every referenced file deletable by any authenticated user on the instance.

Disclaimer on the use of AI powered tools

The research and reporting related to this vulnerability was aided by AI tools.

Scope clarification

The root cause is the has_access_to_file() shared-chat branch returning True regardless of access_type or requesting user. The original PoC demonstrates DELETE (access_type='write'), but the same gate is what authorizes the read (GET /api/v1/files/{id}, GET /api/v1/files/{id}/content) and modify (POST /api/v1/files/{id}/data/content/update) endpoints. All three access modes are bypassed by the same function gap, so the practical impact is read + modify + delete on any file referenced by any shared chat.

Resolution

Fixed in commit 2e52ad8ff ("refac: shared chat"), first released in v0.9.0 (Apr 2026). The shared-chat feature was refactored to introduce a dedicated shared_chats table and gate shared-chat access through AccessGrants (resource_type='shared_chat'). has_access_to_file() (now in backend/open_webui/utils/access_control/files.py:68-80) calls AccessGrants.get_accessible_resource_ids to filter the shared-chat IDs to only those the requesting user has an explicit grant on — ownership, group membership, or public share — before returning True

The new gate is permission-aware ('read' here) and user-aware, closing both the "any user passes" issue and the "access_type ignored" issue. Users on >= 0.9.0 are not affected.

Severity
8.0 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:28:34Z",
    "nvd_published_at": "2026-05-15T20:16:49Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAny authenticated user can permanently delete files owned by other users via `DELETE /api/v1/files/{id}` when the target file is referenced in any shared chat. The `has_access_to_file()` authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting user\u0027s identity nor the type of operation being performed. File UUIDs (which would otherwise be impractical to guess) are disclosed to any user with read access to a knowledge base via `GET /api/v1/knowledge/{id}/files`.\n\n### Details\n\nThe root cause is in `has_access_to_file()` in [backend/open_webui/routers/files.py](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/files.py).\n\nWhen a user calls `DELETE /api/v1/files/{file_id}`, the endpoint delegates authorization to `has_access_to_file(file_id, access_type=\"write\", user=requesting_user)`. Inside that function, one branch checks whether the file is referenced in any shared chat:\n\n```python\nchats = Chats.get_shared_chats_by_file_id(file_id, db=db)\nif chats:\n    return True\n```\n\nThis branch has two missing checks:\n\n1. **No user check:** It asks \"does any shared chat anywhere reference this file?\", not \"does the requesting user own or participate in that chat.\" Any authenticated user passes this check.\n2. **No operation check:** The `access_type` parameter (`\"write\"` for delete) is accepted but never inspected. The branch returns `True` regardless of whether the caller is requesting read access or delete access.\n\nThe result: if any user has shared any chat that references a file, that file becomes deletable by every authenticated user on the instance.\n\nThe delete endpoint has no secondary ownership check (unlike the content-update endpoint), so this authorization bypass leads directly to permanent file removal from the database, disk, and all knowledge base associations.\n\n**How an attacker obtains file UUIDs:**\n\nUUIDs are impractical to brute-force, but they don\u0027t need to be. Any user with read access to a knowledge base can retrieve the file IDs of every document in it via `GET /api/v1/knowledge/{id}/files`. In deployments where knowledge bases are shared across teams (a common and intended use case), this gives any regular user a list of valid file UUIDs they can target.\n\n**Suggested fix**:  gate the shared-chat branch on `access_type` so it only authorizes read operations:\n\n```python\nif access_type == \"read\":\n    chats = Chats.get_shared_chats_by_file_id(file_id, db=db)\n    if chats:\n        return True\n```\n\n**Classification:**\n- CWE-639: Authorization Bypass Through User-Controlled Key\n- OWASP API1:2023: Broken Object Level Authorization\n- CVSS 3.1: 5.7 \u2014 `AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H`\n\nTested on Open WebUI **0.8.3** using a default Docker configuration.\n\n### PoC\n\n**Prerequisites:**\n- Default Open WebUI installation (Docker: `ghcr.io/open-webui/open-webui:main`)\n- Two user accounts: a victim (any role) and an attacker (role: `user`)\n\n**Setup (victim):**\n1. Log in as the victim\n2. Create a knowledge base and upload a document\n3. Start a new chat, attach the KB file, and send a message\n4. Share the chat using the share button\n\n**Obtaining the file UUID (attacker):**\n\nIf the attacker has read access to the knowledge base (e.g. a shared team KB), the file UUID is available via:\n\n```\nGET /api/v1/knowledge/{kb_id}/files\n```\n\nThis returns metadata for all files in the KB, including their UUIDs.\n\n**Exploit (attacker):**\n\n```bash\npython3 poc.py --url http://\u003chost\u003e:3000 --file-id \u003ctarget-file-uuid\u003e -t \u003cattacker-jwt\u003e\n```\n\nThe PoC script (attached as `poc.py`):\n1. Authenticates as the attacker\n2. Confirms the target file is accessible via `GET /api/v1/files/{id}/data/content`\n3. Deletes the file via `DELETE /api/v1/files/{id}`\n4. Verifies permanent deletion (HTTP 404 on subsequent GET)\n\nNo special tooling is required \u2014 the script uses only Python 3 standard library (`urllib`).\n\n### Impact\n\n**Who is affected:** Any multi-user Open WebUI deployment where chat sharing is enabled (the default). The attacker needs a valid account (any role) and a target file UUID, which is available through any shared knowledge base.\n\n**What can happen:**\n- **Permanent data destruction:** The file is removed from the database, disk, and all knowledge base associations with no recovery mechanism.\n- **Knowledge base degradation:** If the file was part of a RAG knowledge base, that KB silently loses the document with no user-facing indication that content is missing.\n- **No audit trail:** The delete operation does not record which user performed it.\n\nSharing a chat is a routine collaboration action. The current behavior means that doing so inadvertently makes every referenced file deletable by any authenticated user on the instance.\n\n### Disclaimer on the use of AI powered tools \n\nThe research and reporting related to this vulnerability was aided by AI tools. \n\n## Scope clarification\n\nThe root cause is the `has_access_to_file()` shared-chat branch returning `True` regardless of `access_type` or requesting user. The original PoC demonstrates DELETE (`access_type=\u0027write\u0027`), but the same gate is what authorizes the read (`GET /api/v1/files/{id}`, `GET /api/v1/files/{id}/content`) and modify (`POST /api/v1/files/{id}/data/content/update`) endpoints. All three access modes are bypassed by the same function gap, so the practical impact is read + modify + delete on any file referenced by any shared chat.\n\n## Resolution\n\nFixed in commit [2e52ad8ff](https://github.com/open-webui/open-webui/commit/2e52ad8ff2f8d9ed9f38f76e9bc19c8f92d91fc3) (\"refac: shared chat\"), first released in **v0.9.0** (Apr 2026). The shared-chat feature was refactored to introduce a dedicated `shared_chats` table and gate shared-chat access through `AccessGrants` (`resource_type=\u0027shared_chat\u0027`). `has_access_to_file()` (now in `backend/open_webui/utils/access_control/files.py:68-80`) calls `AccessGrants.get_accessible_resource_ids` to filter the shared-chat IDs to only those the requesting user has an explicit grant on \u2014 ownership, group membership, or public share \u2014 before returning `True`\n\nThe new gate is permission-aware (\u0027read\u0027 here) and user-aware, closing both the \"any user passes\" issue and the \"access_type ignored\" issue. Users on \u003e= 0.9.0 are not affected.",
  "id": "GHSA-26g9-27vm-x3q8",
  "modified": "2026-05-15T23:54:57Z",
  "published": "2026-05-14T20:28:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26g9-27vm-x3q8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/commit/2e52ad8ff2f8d9ed9f38f76e9bc19c8f92d91fc3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.