CVE-2026-45402 Overview
CVE-2026-45402 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in Open WebUI, a self-hosted artificial intelligence platform. Versions prior to 0.9.5 allow any authenticated user to attach arbitrary files to resources they control by supplying another user's file_id. The affected endpoints do not verify that the caller owns or has access to the referenced file. Through the downstream Retrieval-Augmented Generation (RAG) and file-content paths, an attacker can exfiltrate any other user's private file given knowledge of its UUID. The knowledge-base path additionally permits overwriting the target file.
Critical Impact
Authenticated users can read and overwrite other users' private files by referencing a known file UUID, leading to cross-tenant data exposure and tampering.
Affected Products
- Open WebUI versions prior to 0.9.5
- backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update)
- backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id, add_files_to_knowledge_by_id_batch)
Discovery Timeline
- 2026-05-15 - CVE-2026-45402 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-45402
Vulnerability Analysis
The flaw is an Insecure Direct Object Reference affecting multiple file-attachment endpoints in Open WebUI. When a client submits a request that includes a file_id, the server attaches that file to a resource the caller controls — a folder's knowledge set or a knowledge base — without performing an ownership or authorization check against the file itself. Once attached, the file's content becomes reachable through the standard RAG and file-content retrieval flows available to the caller. Because UUIDs are the sole reference, possession of a target file's UUID is sufficient for cross-account access. On the knowledge-base path, the attacker can also push content that overwrites the original file, breaking integrity in addition to confidentiality.
Root Cause
The server-side handlers in folders.py and knowledge.py trust the user-supplied file_id parameter and skip authorization checks that confirm the caller owns or has been granted access to the referenced file. The access decision is made at the parent resource level, not at the file object level.
Attack Vector
An authenticated attacker sends a crafted request to POST /api/v1/folders/{id}/update, add_file_to_knowledge_by_id, or add_files_to_knowledge_by_id_batch, supplying the UUID of a victim's file. The attacker then reads the file via the RAG or file-content path attached to their own folder or knowledge base. On the knowledge-base endpoints, the same flow can be used to overwrite the victim's file. Refer to the GitHub Security Advisory GHSA-r472-mw7m-967f for technical details.
Detection Methods for CVE-2026-45402
Indicators of Compromise
- Requests to /api/v1/folders/{id}/update containing file_id values that do not appear in the requesting user's prior upload or access history.
- Calls to add_file_to_knowledge_by_id or add_files_to_knowledge_by_id_batch referencing file UUIDs owned by other users.
- Unexpected modifications to knowledge-base file contents not preceded by an upload event from the file's owner.
Detection Strategies
- Correlate file_id parameters in folder and knowledge endpoint requests against the file ownership table to identify cross-user references.
- Alert on knowledge-base file content hashes changing without a matching upload event from the original owner.
- Baseline per-user file-access patterns and flag sudden access to files outside the user's historical scope.
Monitoring Recommendations
- Enable verbose request logging on the Open WebUI backend, capturing authenticated user identity, endpoint, and file_id parameters.
- Forward application logs to a centralized analytics platform and build retention for at least 90 days to support investigation.
- Monitor for enumeration patterns against UUID-bearing endpoints, including bursts of failed or repeated file_id references.
How to Mitigate CVE-2026-45402
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.5 or later, which contains the authorization fix.
- Audit recent requests to the affected endpoints for file_id values referenced by users who do not own them.
- Rotate or review the contents of any knowledge-base files that may have been overwritten while a vulnerable version was running.
Patch Information
The vulnerability is fixed in Open WebUI 0.9.5. The patched handlers in folders.py and knowledge.py validate that the caller owns or has been explicitly granted access to the referenced file before attaching it. See the Open WebUI Security Advisory GHSA-r472-mw7m-967f for the official fix details.
Workarounds
- Restrict access to the Open WebUI instance to trusted users until the upgrade to 0.9.5 is complete.
- Place the affected endpoints behind a reverse proxy or API gateway that enforces per-user authorization on file_id parameters.
- Temporarily disable the folder update and knowledge-base file-attachment features if multi-tenant exposure is a concern.
# Configuration example: upgrade Open WebUI via pip
pip install --upgrade "open-webui>=0.9.5"
# Or, for Docker deployments, pull the patched image and redeploy
docker pull ghcr.io/open-webui/open-webui:0.9.5
docker stop open-webui && docker rm open-webui
docker run -d --name open-webui -p 3000:8080 \
-v open-webui:/app/backend/data \
ghcr.io/open-webui/open-webui:0.9.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
