Scaumacktiv

**Name of the Vulnerable Software and Affected Versions** Open WebUI versions prior to 0.8.6 **Description** Open WebUI is an artificial intelligence platform designed for offline operation. A missing access control check when deleting files from a knowledge base allows a user with write access to a knowledge base (or an administrator) to delete arbitrary files from any knowledge base, provided they know the file ID. The issue stems from a lack of validation that the file being deleted actually belongs to the knowledge base the user has access to. The vulnerable code is located in the `/api/v1/knowledge/{id}/file/remove` API endpoint, specifically within the `remove file from knowledge by id` function. The `file id` parameter, `form data.file id`, is not validated against the current knowledge base. A proof of concept demonstrates an attacker deleting a file from a victim's knowledge base by submitting a request to their own collection with the victim's file ID. **Recommendations** Update Open WebUI to version 0.8.6 or later.