Open WebUI Authorization Bypass Allows Unauthorized File Deletion

Open WebUI version 0.8.3 and earlier is vulnerable to an authorization bypass. The vulnerability resides in the has_access_to_file() function within backend/open_webui/routers/files.py. When a user attempts to delete a file via DELETE /api/v1/files/{id}, the function incorrectly authorizes the request if the target file is referenced in any shared chat, regardless of the requesting user’s permissions. This occurs because the function checks neither the requesting user’s identity nor the type of operation being performed. File UUIDs, which are otherwise difficult to guess, can be obtained by any user with read access to a knowledge base via GET /api/v1/knowledge/{id}/files. This vulnerability was tested using a default Docker configuration.

Attack Chain

1. The attacker authenticates to the Open WebUI application with any valid user account.
2. The attacker identifies a target knowledge base that is shared across multiple users or teams.
3. The attacker sends a GET /api/v1/knowledge/{kb_id}/files request to retrieve the file UUIDs associated with the target knowledge base.
4. The attacker selects a file UUID from the list obtained in the previous step, corresponding to a file they do not own.
5. The attacker sends a GET /api/v1/files/{file_id}/data/content to confirm the target file is accessible (200 OK).
6. The attacker sends a DELETE /api/v1/files/{file_id} request to delete the target file.
7. The has_access_to_file() function incorrectly authorizes the deletion because the file is referenced in a shared chat, bypassing permission checks.
8. The server deletes the file from the database, disk, and all knowledge base associations.
9. The attacker verifies permanent deletion by sending a subsequent GET /api/v1/files/{file_id}/data/content request, which now returns HTTP 404.

Impact

This vulnerability can lead to permanent data destruction within Open WebUI deployments. Any multi-user Open WebUI deployment where chat sharing is enabled is affected. An attacker with a valid account can permanently delete files owned by other users, leading to data loss and knowledge base degradation. The delete operation lacks proper auditing, making it difficult to identify the responsible user. The knowledge base will silently lose documents without any user-facing indication that content is missing.

Recommendation

• Upgrade to Open WebUI version 0.9.0 or later to apply the fix that addresses the authorization bypass in the has_access_to_file() function.
• Deploy the Sigma rule “Detect Unauthorized Open WebUI File Deletion via Shared Chat Bypass” to monitor for unauthorized file deletion attempts.
• Restrict access to knowledge bases and shared chats to only authorized users to limit the exposure of file UUIDs.