CVE-2026-44565 Overview
CVE-2026-44565 is a path traversal vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Versions prior to 0.6.10 derive the stored filename of audio uploads directly from the HTTP request without validation or sanitization. Authenticated users can supply filenames containing dot-segments such as ../ and write files outside the intended uploads directory. The flaw maps to CWE-22 and is fixed in version 0.6.10.
Critical Impact
Authenticated attackers can write arbitrary files anywhere the web server process has filesystem permissions, enabling integrity compromise and potential code execution paths.
Affected Products
- Open WebUI versions prior to 0.6.10
- Self-hosted Open WebUI deployments exposing the audio upload endpoint
- Open WebUI instances running with elevated filesystem permissions
Discovery Timeline
- 2026-05-15 - CVE-2026-44565 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44565
Vulnerability Analysis
The vulnerability resides in Open WebUI's audio file upload handler. When a client submits an audio file, the server uses the filename provided in the HTTP upload request as the final storage name. The handler performs no canonicalization, no allowlist filtering, and no rejection of path separators or dot-segments.
An authenticated user can craft a request whose filename contains traversal sequences such as ../../etc/cron.d/payload. The server resolves this relative to the uploads directory and writes the attacker-controlled content at the traversed location. The write occurs with the privileges of the user running the Open WebUI process.
Because Open WebUI is frequently deployed in containers or under service accounts that own application code and configuration, an attacker can target files inside the application directory itself. Overwriting Python modules, templates, or configuration loaded by the platform creates a path to code execution within the AI service.
Root Cause
The root cause is missing input validation on a user-controlled filename, a classic CWE-22 Improper Limitation of a Pathname to a Restricted Directory. The upload handler trusts the client-supplied name and concatenates it with the uploads base path without invoking a safe-join routine or stripping .. components.
Attack Vector
Exploitation requires network access to the Open WebUI instance and valid low-privilege credentials. The attacker issues a multipart upload request to the audio endpoint with a filename containing dot-segments pointing to the target write location. No user interaction is required after authentication. Refer to the Open WebUI GHSA-j3fw-wc48-29g3 advisory for vendor-confirmed technical details.
Detection Methods for CVE-2026-44565
Indicators of Compromise
- Audio upload requests where the filename parameter contains ../, ..\, URL-encoded %2e%2e%2f, or absolute path prefixes
- New or modified files in directories outside the configured Open WebUI uploads path, owned by the Open WebUI service account
- Unexpected files appearing in sensitive locations such as ~/.ssh/, /etc/cron.d/, or the Open WebUI application directory
- HTTP 200 responses to audio upload requests carrying suspicious filenames
Detection Strategies
- Inspect reverse proxy and application access logs for upload requests whose Content-Disposition filename field contains traversal sequences
- Enable filesystem integrity monitoring on the host or container running Open WebUI, focusing on application code, configuration, and user home directories
- Alert on process writes by the Open WebUI service account to paths outside the designated uploads directory
Monitoring Recommendations
- Forward Open WebUI access logs and host filesystem events to a centralized analytics platform for correlation
- Baseline the expected uploads directory contents and alert on writes that resolve outside it
- Track authentication events that precede upload activity to scope which accounts may be abused
How to Mitigate CVE-2026-44565
Immediate Actions Required
- Upgrade Open WebUI to version 0.6.10 or later on all self-hosted instances
- Audit the filesystem for files written by the Open WebUI service account outside the uploads directory since deployment
- Rotate any credentials, tokens, or keys reachable from the Open WebUI process if compromise is suspected
- Restrict network exposure of the Open WebUI interface to trusted users and networks until patched
Patch Information
The vendor has released a fix in Open WebUI 0.6.10. The patched version validates and sanitizes the uploaded audio filename before constructing the destination path. See the Open WebUI GHSA-j3fw-wc48-29g3 advisory for release notes and upgrade guidance.
Workarounds
- Run Open WebUI under a dedicated, unprivileged service account whose write permissions are scoped to the uploads directory only
- Deploy Open WebUI inside a container with a read-only root filesystem and a writable volume mounted exclusively at the uploads path
- Place an authenticating reverse proxy in front of Open WebUI and reject upload requests whose filename field contains .., /, \, or encoded equivalents
# Configuration example: restrict the Open WebUI container filesystem
docker run -d \
--name open-webui \
--read-only \
--tmpfs /tmp \
-v open-webui-uploads:/app/backend/data/uploads \
--user 1000:1000 \
--cap-drop ALL \
-p 127.0.0.1:8080:8080 \
ghcr.io/open-webui/open-webui:0.6.10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
