CVE-2026-28788
Received Received - Intake
Insecure File Overwrite in Open WebUI Enables Privilege Escalation

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-05-07
AI Q&A
2026-03-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-28788
EUVD
EUVD-2026-16482
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openwebui open_webui to 0.8.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-28788 is a high-severity authorization bypass vulnerability in Open WebUI versions prior to 0.8.6. It occurs because the `POST /api/v1/retrieval/process/files/batch` endpoint allows any authenticated user to overwrite the content of any file by its ID without verifying file ownership.

The vulnerability arises because the endpoint exposes an internal helper function that lacks proper ownership checks. An attacker with read access to a shared knowledge base can enumerate file UUIDs and then overwrite those files, escalating their permissions from read to write.

The overwritten content is then served to the Large Language Model (LLM) via Retrieval-Augmented Generation (RAG), allowing the attacker to control what the model outputs to other users, effectively poisoning the model's responses.

This flaw leads to silent data corruption without audit trails or notifications and is fixed in Open WebUI version 0.8.6 by adding ownership verification before file updates.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Open WebUI to version 0.8.6 or later, where the vulnerability is patched by adding ownership checks before file updates.

Until the upgrade can be applied, restrict access to the vulnerable endpoint `/api/v1/retrieval/process/files/batch` to trusted users only or disable it if possible.

Implement monitoring and alerting on unauthorized file modification attempts and review user permissions to limit read access to shared knowledge bases.

Consider auditing existing files for unauthorized modifications and verify the integrity of knowledge base contents to detect any silent data corruption caused by exploitation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated users to overwrite files they do not own within shared knowledge bases, leading to unauthorized data modification and silent data corruption.

Such unauthorized modification and lack of audit trails can undermine data integrity and accountability requirements commonly mandated by standards and regulations like GDPR and HIPAA.

Specifically, the ability to escalate from read to write access without proper authorization controls may violate principles of least privilege and data protection, potentially resulting in non-compliance with these regulations.


How can this vulnerability impact me? :

This vulnerability can have significant impacts in multi-user Open WebUI deployments with shared knowledge bases.

  • An attacker with only read access can overwrite arbitrary files, escalating their privileges to write access.
  • The attacker can poison the LLM's responses by injecting malicious or misleading content, affecting all users relying on the model.
  • There is no audit trail or notification of these unauthorized modifications, leading to silent data corruption.
  • Depending on deployment, this could lead to further exploitation such as code execution.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking for unauthorized file overwrite attempts via the vulnerable endpoint `POST /api/v1/retrieval/process/files/batch`. An attacker first enumerates file UUIDs using the `GET /api/v1/knowledge/{id}/files` endpoint and then sends crafted POST requests to overwrite files.

To detect exploitation attempts, monitor HTTP requests to these endpoints for unusual activity, such as POST requests modifying files without proper ownership.

Suggested commands to detect potential exploitation include using curl or similar tools to query the endpoints and check for unauthorized access patterns:

  • Enumerate files in a knowledge base (replace {id} with actual knowledge base ID): curl -X GET -H "Authorization: Bearer <token>" https://<openwebui-host>/api/v1/knowledge/{id}/files
  • Check for suspicious POST requests attempting to overwrite files: curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"file_ids": ["<file-uuid>"], "content": "<test-content>"}' https://<openwebui-host>/api/v1/retrieval/process/files/batch

Additionally, review server logs for POST requests to `/api/v1/retrieval/process/files/batch` from users who should not have write access, as the endpoint lacks ownership verification.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart