Executive Summary

CVE-2026-54009 is a cross-user file disclosure vulnerability in Open WebUI versions 0.9.5 and earlier. It occurs in the /api/chat/completions endpoint where the image_url.url field can be manipulated. If the URL does not start with http://, https://, or data:image/, the server treats it as a file ID and retrieves the file from disk without checking if the requesting user owns the file.

An authenticated user can exploit this by specifying another user's file ID, causing the server to read that file, encode it in base64, and inject it into a large language model (LLM) request. The attacker can then prompt the LLM to describe or perform OCR on the file, effectively disclosing its contents.

The root cause is missing ownership checks in the function that retrieves files by ID, allowing unauthorized access to other users' files.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated users to access files belonging to other users without proper authorization checks, leading to unauthorized disclosure of potentially sensitive information.

Such unauthorized access and disclosure of user files can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated user to read files uploaded by other users without permission. These files can include images and documents with image-like MIME types.

An attacker can access sensitive or private information contained in these files by leveraging the LLM to describe or extract text from them.

The impact is significant because it compromises confidentiality (high confidentiality impact) but does not affect integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the manipulation of the `image_url.url` field in POST requests to the `/api/chat/completions` endpoint, where an authenticated user can specify a file ID to access files belonging to other users without proper ownership checks.

To detect exploitation attempts on your system or network, you can monitor POST requests to `/api/chat/completions` that contain `image_url.url` values not starting with `http://`, `https://`, or `data:image/`, as these are interpreted as file IDs.

Suggested commands to detect such activity include:

• Using grep on server logs to find suspicious POST requests: `grep -i 'POST /api/chat/completions' /path/to/access.log | grep -E '"image_url.url":"(?!http://|https://|data:image/)'`
• Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to `/api/chat/completions` and inspect payloads for `image_url.url` fields with unexpected values.
• Implementing application-level logging to record the `image_url.url` parameter values and the authenticated user IDs making the requests for further analysis.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Open WebUI to version 0.9.6 or later, where this vulnerability has been fixed by enforcing ownership checks on file access.

If upgrading immediately is not possible, consider the following temporary measures:

• Restrict access to the `/api/chat/completions` endpoint to trusted users only, minimizing the risk of exploitation.
• Implement additional access control checks in your deployment to verify that file IDs requested via `image_url.url` belong to the authenticated user.
• Monitor logs and network traffic for suspicious requests as described in the detection section to identify and respond to potential exploitation attempts.

Useful 0 Not Useful 0