PT-2026-41163 · Unknown · Open-Webui
Published
2026-03-08
·
Updated
2026-05-16
·
CVE-2026-45301
CVSS v2.0
8.5
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Open WebUI versions prior to 0.3.16
Description
A missing permission check in API endpoints related to files allows any authenticated user to list, access, and delete every file uploaded by any user to the platform. The issue exists because the endpoints only verify if a user is authenticated but do not filter files to match the
user id of the requesting user. Affected endpoints include '/api/v1/files/', '/api/v1/files/{id}/content', and '/api/v1/files/{id}'.Recommendations
Update to version 0.3.16.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open-Webui