CVE-2026-28786

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6

Description Open WebUI is a self-hosted artificial intelligence platform designed for offline operation. A flaw exists in the speech-to-text transcription endpoint where an unsanitized filename field allows any authenticated, non-admin user to trigger a FileNotFoundError. The error message, including the server's absolute DATA DIR path, is then returned in the HTTP 400 response body, leading to information disclosure on default deployments. The issue stems from a lack of path sanitization when extracting the file extension from the filename and constructing the file path. Specifically, the file.filename.split(".")[-1] function is used without any sanitization, and the resulting value is concatenated into a filesystem path. This allows an attacker to craft a filename containing directory traversal sequences (e.g., audio./etc/passwd) to reveal the server's absolute path. The vulnerability is present in the backend/open webui/routers/audio.py file, at line 1197, and is triggered when attempting to open a file with a malicious filename. The MIME-type guard does not prevent this issue.

Recommendations Versions prior to 0.8.6 should be updated to version 0.8.6 or later to address the issue. As a temporary workaround, consider sanitizing the file extension using Path(file.filename).name and suppressing the internal path in error responses. Restrict access to the audio transcription endpoint to minimize the risk of exploitation.