← Back to CVEs
CVE-2026-29070
MEDIUM5.4
Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.
CVE Details
CVSS v3.1 Score5.4
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published3/27/2026
Last Modified4/1/2026
Sourcenvd
Honeypot Sightings0
Affected Products
openwebui:open_webui
Weaknesses (CWE)
CWE-862
References
https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.