CVE-2026-28786 Overview
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, the speech-to-text transcription endpoint contains an unsanitized filename field that allows any authenticated non-admin user to trigger a FileNotFoundError. The error message, including the server's absolute DATA_DIR path, is returned verbatim in the HTTP 400 response body, resulting in information disclosure on all default deployments. This path traversal vulnerability (CWE-22) enables attackers to enumerate server directory structures and gather reconnaissance information for further attacks.
Critical Impact
Authenticated users can extract sensitive server path information, potentially exposing deployment configurations and aiding in subsequent attack planning against the Open WebUI infrastructure.
Affected Products
- Open WebUI versions prior to 0.8.6
- All default Open WebUI deployments with speech-to-text functionality enabled
- Self-hosted AI platforms running vulnerable Open WebUI instances
Discovery Timeline
- 2026-03-27 - CVE-2026-28786 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-28786
Vulnerability Analysis
The vulnerability resides in Open WebUI's speech-to-text transcription endpoint, which processes user-supplied filename parameters without proper sanitization. When an authenticated user submits a malformed or non-existent filename, the application generates a Python FileNotFoundError exception. Rather than returning a generic error message, the exception handler exposes the full error context, including the absolute filesystem path where the application stores its data (DATA_DIR).
This information disclosure affects all default deployments because the error handling behavior is consistent across installations. Any authenticated user, regardless of their privilege level, can exploit this vulnerability to confirm the server's directory structure and data storage locations.
Root Cause
The root cause is improper input validation and overly verbose error handling in the speech-to-text endpoint. The filename parameter is passed directly to file system operations without sanitization, and when operations fail, the exception message containing sensitive path information is returned to the client without filtering. This violates the security principle of providing minimal error information to end users while logging detailed errors server-side.
Attack Vector
The attack is network-based and requires only authenticated access to the Open WebUI platform. An attacker with standard user credentials can craft HTTP requests to the speech-to-text transcription endpoint with specially crafted filename values designed to trigger file-not-found errors. The attack flow is as follows:
- Authenticate to Open WebUI with any valid user account
- Submit a request to the speech-to-text endpoint with a non-existent or malformed filename
- Observe the HTTP 400 response containing the FileNotFoundError message
- Extract the absolute DATA_DIR path from the error response
The disclosed path information can then be used for reconnaissance to understand the server's filesystem layout, potentially identifying additional attack surfaces or sensitive configuration files.
Detection Methods for CVE-2026-28786
Indicators of Compromise
- Unusual patterns of HTTP 400 responses from the speech-to-text transcription endpoint
- Multiple failed file access attempts from the same authenticated user session
- Log entries showing FileNotFoundError exceptions with path traversal sequences
- Repeated requests to the transcription API with intentionally malformed filenames
Detection Strategies
- Monitor application logs for FileNotFoundError exceptions in the speech-to-text module
- Implement alerting on unusual volumes of HTTP 400 responses from API endpoints
- Deploy web application firewall (WAF) rules to detect path traversal patterns in request parameters
- Review authentication logs for accounts making repeated failed API requests
Monitoring Recommendations
- Enable verbose logging for the speech-to-text endpoint to capture request parameters
- Configure SIEM rules to correlate authentication events with subsequent API errors
- Establish baseline metrics for transcription endpoint error rates to identify anomalies
- Monitor for reconnaissance patterns that may indicate pre-attack information gathering
How to Mitigate CVE-2026-28786
Immediate Actions Required
- Upgrade Open WebUI to version 0.8.6 or later immediately
- Review application logs for evidence of exploitation attempts
- Audit user accounts that have accessed the speech-to-text functionality
- Consider implementing additional access controls for sensitive API endpoints
Patch Information
Open WebUI version 0.8.6 addresses this vulnerability by implementing proper input sanitization for the filename field and ensuring error messages do not expose sensitive server path information. Organizations should update to this version or later as soon as possible. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to the speech-to-text endpoint to trusted users only until patching is complete
- Implement a reverse proxy or WAF rule to sanitize filename parameters before they reach the application
- Configure custom error pages to prevent verbose error messages from reaching clients
- Disable the speech-to-text functionality temporarily if not essential to operations
# Example: Restrict speech-to-text endpoint access in nginx reverse proxy
location /api/v1/audio/transcriptions {
# Allow only specific trusted IP addresses
allow 10.0.0.0/8;
deny all;
# Proxy to Open WebUI backend
proxy_pass http://localhost:8080;
proxy_intercept_errors on;
error_page 400 = @custom_error;
}
location @custom_error {
return 400 '{"error": "Request could not be processed"}';
add_header Content-Type application/json;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
