Unknown · Open-Webui · CVE-2026-54010
**Name of the Vulnerable Software and Affected Versions**
Open WebUI versions prior to 0.9.6
**Description**
An authenticated user can attach arbitrary `file id` values to their own chat messages because the system fails to verify if the user owns or has read access to those files. By sharing the chat and granting themselves read access, the `has access to file()` function incorrectly treats the victim's file as accessible. This allows an attacker to read a victim's file via the 'GET /api/v1/files/{id}/content' endpoint or delete it via the 'DELETE /api/v1/files/{id}' endpoint.
Additionally, the shared-chat authorization branch ignores the `access type`, meaning a user granted only read access to a legitimately shared chat can delete files attached to that chat.
**Recommendations**
Update to version 0.9.6 or later.
As a temporary workaround, restrict access to the 'GET /api/v1/files/{id}/content' and 'DELETE /api/v1/files/{id}' endpoints to authorized administrators only.