CVE-2026-28786
Information Disclosure via Unsanitized Filename in Open WebUI Speech-to-Text
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openwebui | open_webui | to 0.8.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes information disclosure by leaking the server's absolute filesystem path to any authenticated non-admin user. Such exposure of internal system details can increase the risk of further attacks and unauthorized access.
While the vulnerability itself does not directly compromise personal data or system integrity, the disclosure of sensitive server path information may negatively impact compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive information and secure system configurations.
Specifically, the leakage of internal paths could aid attackers in reconnaissance, potentially leading to breaches that violate confidentiality requirements under these regulations.
Can you explain this vulnerability to me?
CVE-2026-28786 is a vulnerability in the Open WebUI platform affecting versions prior to 0.8.6. It occurs because the speech-to-text transcription endpoint does not properly sanitize the filename field provided by authenticated non-admin users.
Specifically, the filename can include path traversal sequences (like '../'), which are not removed before the system tries to create a file path. When the system attempts to open this constructed path and fails, it raises a FileNotFoundError.
The error message from this exception is returned verbatim in the HTTP 400 response, revealing the server's absolute DATA_DIR path. This leads to information disclosure, allowing attackers to learn about the server's filesystem structure.
How can this vulnerability impact me? :
The primary impact of this vulnerability is information disclosure. An authenticated non-admin user can cause the server to reveal its absolute filesystem paths through error messages.
This information can be used by attackers to better understand the server environment, potentially aiding in further attacks or exploitation.
However, the vulnerability does not allow arbitrary file writes, nor does it affect data integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an authenticated multipart POST request to the speech-to-text transcription endpoint with a crafted filename containing path traversal sequences.
For example, sending a POST request to `/api/v1/audio/transcriptions` with a filename like `audio./etc/passwd` and a `Content-Type` header such as `audio/wav` will trigger a FileNotFoundError if the system is vulnerable.
The server response will be an HTTP 400 error containing the absolute server path in the error message, confirming the information disclosure.
A sample curl command to test this might be:
- curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: multipart/form-data" -F "[email protected];filename=audio./etc/passwd" https://<server>/api/v1/audio/transcriptions
If the response body contains an absolute path revealing the server's DATA_DIR, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Open WebUI to version 0.8.6 or later, where this vulnerability has been patched.
If upgrading is not immediately possible, you should implement input sanitization on the filename field to strip any path components, for example by using `pathlib.Path(file.filename).name`.
Additionally, modify the error handling to avoid returning detailed internal error messages in HTTP responses. Instead, log exceptions internally and return generic error messages such as "Transcription failed."
Restrict access to the transcription endpoint to trusted authenticated users and monitor logs for suspicious requests containing path traversal patterns.