CVE-2026-59212
Received Received - Intake

Privilege Escalation in Open WebUI via Knowledge File Access

Vulnerability report for CVE-2026-59212, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
open_webui open_webui From 0.9.6 (exc) to 0.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Open WebUI allows an authenticated user with read-only access to escalate privileges to write or delete files improperly. This unauthorized modification capability could lead to data integrity issues and unauthorized data alteration.

Such unauthorized access and modification could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and protection against unauthorized changes.

However, the provided information does not explicitly discuss the direct impact on compliance frameworks or mention any regulatory consequences.

Executive Summary

CVE-2026-59212 is a vulnerability in Open WebUI where an authenticated user with Models workspace access and read-only access to a file through a knowledge-base grant can escalate their privileges to gain write and delete access to that file.

The issue arises because the system incorrectly allows a file ID with only read access to be attached to an attacker-controlled model's metadata. Later, when the system checks for write access, it grants it based on the model's metadata rather than the user's actual permissions.

This bypasses proper authorization checks, allowing the attacker to rename, overwrite, or delete the victim's file through file routes like POST /api/v1/files/{id}/rename, POST /api/v1/files/{id}/data/content/update, and DELETE /api/v1/files/{id}.

The vulnerability was caused by the access control logic deriving write or delete permissions from objects (knowledge bases, workspace models) a file was attached to, without verifying ownership of the file itself.

The issue was fixed by ensuring that write or delete permissions are only granted if the object's owner also owns the file, preventing unauthorized privilege escalation.

Impact Analysis

This vulnerability allows an authenticated user with limited read-only access to a file to escalate their privileges and gain write and delete permissions on that file.

As a result, an attacker could rename, overwrite, or delete files they should only be able to read, potentially leading to data loss, data tampering, or disruption of services relying on those files.

The impact is moderate with a CVSS score of 5.4, as exploitation requires specific conditions including authenticated access, Models workspace permissions, and prior read-only access via a knowledge-base grant.

Detection Guidance

This vulnerability involves privilege escalation through improper authorization checks in file access permissions within Open WebUI. Detection would involve monitoring for unusual file write or delete operations initiated by users who should only have read access.

Specifically, suspicious activity could include API calls to endpoints such as POST /api/v1/files/{id}/rename, POST /api/v1/files/{id}/data/content/update, and DELETE /api/v1/files/{id} performed by users with only read access to those files.

To detect exploitation attempts, you can audit logs for these API calls and verify if the user had only read permissions but performed write or delete operations.

While no explicit commands are provided in the resources, general approaches include:

  • Review Open WebUI access logs for file modification or deletion events by users with read-only knowledge base grants.
  • Use API request logging or network monitoring tools to filter requests to the affected file routes and correlate them with user permission levels.
  • Check the metadata of models to identify if files with read-only access are attached to objects owned by users who then perform write/delete operations.
Mitigation Strategies

The primary mitigation is to upgrade Open WebUI to version 0.10.0 or later, where the vulnerability is fixed by strengthening the _verify_knowledge_file_access() function.

This fix ensures that write or delete permissions on files are only granted if the object's owner also owns the file, preventing unauthorized privilege escalation.

Until the upgrade can be applied, consider restricting or auditing access to the Models workspace and knowledge-base grants to minimize the risk of exploitation.

  • Apply the patch or upgrade to Open WebUI version 0.10.0 or newer.
  • Limit user permissions to only those necessary, especially restricting write or delete access to files.
  • Monitor and audit file-related API calls for suspicious activity as a temporary detection measure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart