HIGHCVE-2026-45301Published 2026-05-15Modified 2026-05-19CNA GitHub_M

CVE-2026-45301: Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This vulnerability is fixed in 0.3.16.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

open-webui / open-webui
< 0.3.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-r8wh-8m7r-fh33

Metrics