CVE-2026-45671 Overview
CVE-2026-45671 is a broken access control vulnerability [CWE-639] in Open WebUI, a self-hosted artificial intelligence platform designed to operate entirely offline. Versions prior to 0.9.0 allow any authenticated user to permanently delete files owned by other users. The flaw resides in the has_access_to_file() authorization function, which unconditionally grants access through its shared-chat branch without verifying the requesting user's identity or the operation type. File UUIDs required for exploitation are disclosed to any user with read access to a knowledge base via the GET /api/v1/knowledge/{id}/files endpoint. The maintainers fixed this issue in version 0.9.0.
Critical Impact
Authenticated low-privilege users can permanently destroy files belonging to other users, causing irreversible data loss across shared Open WebUI deployments.
Affected Products
- Open WebUI versions prior to 0.9.0
- Self-hosted Open WebUI deployments with multiple authenticated users
- Open WebUI instances exposing shared chats or knowledge bases
Discovery Timeline
- 2026-05-15 - CVE-2026-45671 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-45671
Vulnerability Analysis
The vulnerability stems from a flawed authorization check in Open WebUI's file management subsystem. The has_access_to_file() function gates access to file operations but contains a logic error in its shared-chat branch. When a file is referenced in any shared chat, the function returns True without further validation.
This branch does not check the identity of the requesting user. It also does not differentiate between read operations and destructive operations such as deletion. As a result, the DELETE /api/v1/files/{id} endpoint accepts deletion requests from any authenticated user as long as the target file appears in some shared chat.
The attack requires the file UUID, which would typically resist brute-force enumeration. However, Open WebUI exposes file UUIDs through GET /api/v1/knowledge/{id}/files to any user with read access to a knowledge base. This disclosure converts a theoretical guessing problem into a practical exploitation path.
Root Cause
The root cause is improper access control bound to object identity. The shared-chat code path treats file inclusion in a shared chat as a sufficient authorization signal. It conflates discoverability with permission and ignores the principle that delete operations require ownership verification.
Attack Vector
An authenticated attacker enumerates file UUIDs through a knowledge base listing endpoint. The attacker then issues a DELETE /api/v1/files/{id} request for each targeted file. The server invokes has_access_to_file(), which returns True through the shared-chat branch, and the backend permanently removes the file. Exploitation requires network access to the Open WebUI instance and valid user credentials but does not require administrative privileges.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-26g9-27vm-x3q8 for vendor technical details.
Detection Methods for CVE-2026-45671
Indicators of Compromise
- Unexpected DELETE /api/v1/files/{id} requests in Open WebUI access logs originating from non-owner accounts
- File deletion events affecting files referenced in shared chats without corresponding owner activity
- High-volume enumeration of GET /api/v1/knowledge/{id}/files followed shortly by file deletion requests
- User reports of missing files in chats, knowledge bases, or document collections
Detection Strategies
- Audit Open WebUI application logs for DELETE requests targeting /api/v1/files/{id} and correlate the requesting user against the file owner stored in the database.
- Monitor for sequential access patterns where a single session lists knowledge base files and then issues deletion calls within a short time window.
- Compare current file inventories against backups to identify unauthorized deletions that may already have occurred.
Monitoring Recommendations
- Enable verbose request logging on the Open WebUI reverse proxy, capturing authenticated user identifiers, endpoint paths, and HTTP methods.
- Forward Open WebUI logs to a central SIEM and alert on cross-user file deletion patterns.
- Track baseline file deletion rates per user and trigger alerts when a single account exceeds expected activity.
How to Mitigate CVE-2026-45671
Immediate Actions Required
- Upgrade Open WebUI to version 0.9.0 or later, which contains the official fix from the maintainers.
- Inventory user accounts and revoke access for inactive or untrusted users until the upgrade is complete.
- Take a verified backup of all files, knowledge bases, and chat data before applying the upgrade.
- Review access logs for DELETE /api/v1/files/{id} activity to identify any prior abuse.
Patch Information
The vendor fixed CVE-2026-45671 in Open WebUI version 0.9.0. The fix corrects the has_access_to_file() authorization logic so that the shared-chat branch no longer grants unconditional access. Administrators should review the Open WebUI GitHub Security Advisory GHSA-26g9-27vm-x3q8 for full upgrade instructions.
Workarounds
- Restrict Open WebUI access to trusted users only until the upgrade to 0.9.0 is applied.
- Disable shared chat functionality where feasible to remove the vulnerable authorization branch from active use.
- Place Open WebUI behind a reverse proxy that blocks DELETE requests to /api/v1/files/{id} from non-administrator accounts as a temporary control.
- Maintain offline backups of all uploaded files and knowledge base content to enable recovery from unauthorized deletions.
# Example reverse proxy rule (nginx) blocking DELETE on the vulnerable endpoint
location ~ ^/api/v1/files/[^/]+$ {
limit_except GET POST {
deny all;
}
proxy_pass http://open-webui-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
