{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28788", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.244Z", "datePublished": "2026-03-26T23:38:20.726Z", "dateUpdated": "2026-03-26T23:38:20.726Z"}, "containers": {"cna": {"title": "Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j"}], "affected": [{"vendor": "open-webui", "product": "open-webui", "versions": [{"version": "< 0.8.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:38:20.726Z"}, "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue."}], "source": {"advisory": "GHSA-jjp7-g2jw-wh3j", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue."}], "id": "CVE-2026-28788", "lastModified": "2026-03-27T00:16:22.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:22.673", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jjp7-g2jw-wh3j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "open-webui", "source": "cna", "vendor": "open-webui"}, "product": "open-webui", "vendor": "open-webui"}], "analysis": {"en": {"generated_at": "2026-03-27T06:27:23.919003+00:00", "value": {"mitigation_remediation": ["Apply the 0.8.6 patch or newer version of Open WebUI immediately", "Verify that the process_files_batch endpoint now checks file ownership before allowing writes", "Restrict user permissions to only those necessary, and audit knowledge base file access to detect unusual overwrite activity"], "summary": {"action": "Patch ASAP", "impact": "Unauthorized file overwrite enabling manipulation of LLM outputs"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of Open WebUI prior to version 0.8.6. Users running an earlier release are susceptible; the issue was fixed in 0.8.6 and later versions. Administrators should verify the exact deployment version and confirm that upgrades have been applied.", "description_and_impact": "The flaw in Open WebUI's process_files_batch endpoint allows any authenticated user to overwrite files without verifying ownership. This permits an attacker to replace content in files that are later retrieved by the LLM for Retrieval-Augmented Generation, thereby controlling the information the model presents to other users. The vulnerability is a classic case of privilege escalation (CWE\u2011639) and, with a CVSS score of 7.1, represents a moderate to high severity risk.", "risk_and_exploitability": "The attack requires authenticated access and the ability to read file UUIDs via the knowledge base API. An attacker with read rights can obtain a list of file identifiers, then use the vulnerable endpoint to replace content. The exploit is straightforward once the necessary permissions are present, but no elevated privileges are needed beyond an authenticated session. The CVSS score of 7.1 reflects the ability to tamper with data that feeds the LLM. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog, but the potential for targeted attacks against internal deployments remains significant."}}}}, "created": "2026-03-27T08:31:22.308197+00:00", "updated": "2026-03-27T09:22:44.386103+00:00", "vendors": ["open-webui", "open-webui$PRODUCT$open-webui"]}