CVE-2026-28788

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6

Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint lacks ownership verification, allowing a regular user with read access to a shared knowledge base to obtain file UUIDs via the GET /api/v1/knowledge/{id}/files endpoint and subsequently overwrite those files, escalating privileges from read to write access. The overwritten content is then served to the LLM via RAG, enabling the attacker to control the model's responses to other users. The process files batch() function, intended as an internal helper, is exposed as a public endpoint without proper authorization checks. An attacker obtains file UUIDs through read access to a knowledge base and uses them to overwrite files.

Recommendations Open WebUI versions prior to 0.8.6 should be updated to version 0.8.6 or later. Add an ownership check before writing to ensure that file.user id == user.id or that the user has administrator privileges.