Compliance Impact

This vulnerability causes information disclosure by leaking the server's absolute filesystem path to any authenticated non-admin user. Such exposure of internal system details can increase the risk of further attacks and unauthorized access.

While the vulnerability itself does not directly compromise personal data or system integrity, the disclosure of sensitive server path information may negatively impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive information and secure system configurations.

Specifically, the leakage of internal paths could aid attackers in reconnaissance, potentially leading to breaches that violate confidentiality requirements under these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-28786 is a vulnerability in the Open WebUI platform affecting versions prior to 0.8.6. It occurs because the speech-to-text transcription endpoint does not properly sanitize the filename field provided by authenticated non-admin users.

Specifically, the filename can include path traversal sequences (like '../'), which are not removed before the system tries to create a file path. When the system attempts to open this constructed path and fails, it raises a FileNotFoundError.

The error message from this exception is returned verbatim in the HTTP 400 response, revealing the server's absolute DATA_DIR path. This leads to information disclosure, allowing attackers to learn about the server's filesystem structure.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is information disclosure. An authenticated non-admin user can cause the server to reveal its absolute filesystem paths through error messages.

This information can be used by attackers to better understand the server environment, potentially aiding in further attacks or exploitation.

However, the vulnerability does not allow arbitrary file writes, nor does it affect data integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending an authenticated multipart POST request to the speech-to-text transcription endpoint with a crafted filename containing path traversal sequences.

For example, sending a POST request to `/api/v1/audio/transcriptions` with a filename like `audio./etc/passwd` and a `Content-Type` header such as `audio/wav` will trigger a FileNotFoundError if the system is vulnerable.

The server response will be an HTTP 400 error containing the absolute server path in the error message, confirming the information disclosure.

A sample curl command to test this might be:

• curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: multipart/form-data" -F "[email protected];filename=audio./etc/passwd" https://<server>/api/v1/audio/transcriptions

If the response body contains an absolute path revealing the server's DATA_DIR, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Open WebUI to version 0.8.6 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, you should implement input sanitization on the filename field to strip any path components, for example by using `pathlib.Path(file.filename).name`.

Additionally, modify the error handling to avoid returning detailed internal error messages in HTTP responses. Instead, log exceptions internally and return generic error messages such as "Transcription failed."

Restrict access to the transcription endpoint to trusted authenticated users and monitor logs for suspicious requests containing path traversal patterns.

Useful 0 Not Useful 0