CVE-2026-44566 Overview
CVE-2026-44566 is a path traversal vulnerability in Open WebUI, a self-hosted artificial intelligence platform designed to operate offline. The flaw affects all versions prior to 0.1.124. When a user attaches a file to a prompt, Open WebUI derives the filename from the original HTTP upload request without validating or sanitizing it. Attackers can submit filenames containing dot-segments (../) to escape the intended uploads directory. This allows file writes anywhere on the filesystem accessible to the web server process. The issue is tracked under [CWE-22] and fixed in version 0.1.124.
Critical Impact
Unauthenticated attackers can write arbitrary files to any filesystem location writable by the Open WebUI process, leading to potential remote code execution.
Affected Products
- Open WebUI versions prior to 0.1.124
- Self-hosted Open WebUI deployments accepting file attachments in prompts
- All operating systems running the affected Open WebUI server
Discovery Timeline
- 2026-05-15 - CVE-2026-44566 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-44566
Vulnerability Analysis
The vulnerability resides in the file attachment handler within Open WebUI's prompt processing pipeline. When a user uploads a file to attach to a prompt, the server takes the filename directly from the HTTP request's Content-Disposition header or multipart form field. The application then constructs the destination path by joining the configured uploads directory with the attacker-controlled filename. Because no sanitization removes ../ sequences or normalizes the resulting path, attackers can traverse outside the intended uploads directory.
The impact scope depends on the privileges of the user running the Open WebUI process. Common outcomes include overwriting configuration files, planting executable scripts in autostart locations, replacing trusted binaries, or corrupting model files. On systems where Open WebUI runs with elevated privileges, attackers can achieve full host compromise.
Root Cause
The root cause is missing input validation on filenames received from HTTP upload requests. The application trusts client-supplied filenames and uses them directly in filesystem operations. A correct implementation must reject or sanitize filenames containing dot-segments, absolute path prefixes, or null bytes before constructing the destination path.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction in vulnerable configurations. An attacker sends a crafted multipart HTTP request to the Open WebUI file attachment endpoint with a filename such as ../../../../etc/cron.d/payload. The server writes the file contents to the resolved path. Repeated requests allow attackers to plant multiple files across the filesystem.
For technical details, refer to the Open WebUI GHSA-9pgh-j74g-qj6m Advisory.
Detection Methods for CVE-2026-44566
Indicators of Compromise
- HTTP requests to Open WebUI upload endpoints containing ../, ..\, or URL-encoded variants (%2e%2e%2f) in the filename field
- New or modified files in sensitive directories such as /etc/cron.d/, ~/.ssh/, or web server document roots correlated with Open WebUI process activity
- Unexpected child processes spawned by the Open WebUI service user
- Files appearing outside the configured Open WebUI uploads directory with creation timestamps matching upload request logs
Detection Strategies
- Inspect web server and reverse proxy access logs for upload requests containing dot-segment patterns in multipart form data
- Monitor filesystem write events from the Open WebUI process and alert on writes outside the designated uploads directory
- Deploy file integrity monitoring on system directories such as /etc, /var/spool/cron, and user home directories
Monitoring Recommendations
- Enable verbose logging on the Open WebUI application and forward logs to a centralized analytics platform for correlation
- Track process execution and file creation events from the Open WebUI service account using endpoint telemetry
- Establish a baseline of expected file paths under the uploads directory and alert on deviations
How to Mitigate CVE-2026-44566
Immediate Actions Required
- Upgrade Open WebUI to version 0.1.124 or later without delay
- Audit the filesystem for unexpected files written by the Open WebUI process since deployment
- Restrict the Open WebUI service account to a minimal, non-privileged user with write access limited to the uploads directory
- Place Open WebUI behind an authenticated reverse proxy if exposed to untrusted networks
Patch Information
The maintainers fixed the vulnerability in Open WebUI 0.1.124. The patch adds filename validation and sanitization to strip dot-segments before constructing the destination path. Review the GitHub Security Advisory GHSA-9pgh-j74g-qj6m for full remediation details.
Workarounds
- Run Open WebUI inside a container or chroot with a read-only root filesystem and a dedicated writable volume for uploads
- Apply AppArmor or SELinux policies to restrict filesystem write paths for the Open WebUI process
- Disable file attachment functionality until the patch is applied if upgrade is not immediately possible
# Example: run Open WebUI with restricted filesystem access via Docker
docker run -d \
--name open-webui \
--read-only \
--tmpfs /tmp \
-v /srv/openwebui/uploads:/app/backend/data/uploads \
--user 1000:1000 \
--cap-drop=ALL \
-p 127.0.0.1:8080:8080 \
ghcr.io/open-webui/open-webui:0.1.124
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
