{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29070", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.482Z", "datePublished": "2026-03-26T23:39:33.197Z", "dateUpdated": "2026-03-26T23:39:33.197Z"}, "containers": {"cna": {"title": "Open WebUI has unauthorized deletion of knowledge files", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf"}], "affected": [{"vendor": "open-webui", "product": "open-webui", "versions": [{"version": "< 0.8.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:39:33.197Z"}, "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue."}], "source": {"advisory": "GHSA-26gm-93rw-cchf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue."}], "id": "CVE-2026-29070", "lastModified": "2026-03-27T00:16:22.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:22.823", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "open-webui", "source": "cna", "vendor": "open-webui"}, "product": "open-webui", "vendor": "open-webui"}], "analysis": {"en": {"generated_at": "2026-03-27T06:52:06.868089+00:00", "value": {"mitigation_remediation": ["Verify the Open WebUI version currently installed.", "If the version is 0.8.5 or earlier, update to version 0.8.6 or later, which contains a fix for the unauthorized deletion issue.", "After updating, audit recent file deletions and review logs for any unintended data loss.", "Reinforce fine\u2011grained access controls on knowledge bases, ensuring only users with explicit write permission can modify contents."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized deletion of knowledge base files"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of the Open WebUI product provided by open-webui that are running any version earlier than 0.8.6, regardless of operating system or deployment environment. The vulnerability is not limited to a specific platform or operating system; the only requirement is that the open-webui instance is reachable and the attacker can obtain a file identifier.", "description_and_impact": "Open WebUI, a self-hosted artificial intelligence platform, permits users with write permissions to a knowledge base to delete files without verifying that the file actually belongs to that base. This missing authorization check (CWE-862) allows a malicious actor to remove arbitrary files by specifying a known file identifier, potentially causing irreversible data loss or exposure of sensitive information. The vulnerability is therefore a medium-severity data-exposure and integrity risk for affected deployments.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium severity posture. Exploitation requires that the assailant has write access to a knowledge base, which may be achieved through legitimate credentials or privilege escalation. Once that condition is met, the attacker can delete any file by supplying its identifier, without further authentication. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, implying that public exploit activity has not yet been documented. Based on the description, the likely attack vector is a web\u2011application interface that accepts delete requests with a file ID parameter; the missing check is entirely server\u2011side, so the attack does not require client\u2011side manipulation. This inference is based on the stated behavior of the platform and the nature of the flaw."}}}}, "created": "2026-03-27T08:31:21.399702+00:00", "updated": "2026-03-27T09:22:43.454605+00:00", "vendors": ["open-webui", "open-webui$PRODUCT$open-webui"]}