Inar1Dev

**Name of the Vulnerable Software and Affected Versions** Open WebUI versions prior to 0.8.6 **Description** Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint lacks ownership verification, allowing a regular user with read access to a shared knowledge base to obtain file UUIDs via the `GET /api/v1/knowledge/{id}/files` endpoint and subsequently overwrite those files, escalating privileges from read to write access. The overwritten content is then served to the LLM via RAG, enabling the attacker to control the model's responses to other users. The `process files batch()` function, intended as an internal helper, is exposed as a public endpoint without proper authorization checks. An attacker obtains file UUIDs through read access to a knowledge base and uses them to overwrite files. **Recommendations** Open WebUI versions prior to 0.8.6 should be updated to version 0.8.6 or later. Add an ownership check before writing to ensure that `file.user id == user.id` or that the user has administrator privileges.