Open WebUI Arbitrary File Write/Delete via Path Traversal

Open WebUI version 0.1.105 is vulnerable to a path traversal vulnerability (CVE-2026-44565) affecting the /ollama/models/upload API route. This vulnerability, discovered by Taylor Pennington of KoreLogic, Inc., allows an attacker to upload files with arbitrary names to the server. Due to the lack of filename sanitization, an attacker can use dot-segments (../) to traverse the filesystem and write files to locations outside the intended upload directory. After the file is written successfully, the application attempts to remove the file using os.remove(file_path), leading to arbitrary file deletion. This issue can lead to denial of service or potentially be chained with other vulnerabilities for more severe impact if the attacker can overwrite critical system files.

Attack Chain

1. The attacker gains access to the Open WebUI HTTP interface.
2. The attacker crafts a malicious HTTP POST request to the /ollama/models/upload endpoint.
3. The request includes a file attachment with a filename containing path traversal sequences (e.g., ../../../../../../../tmp/DELETE_ME).
4. The server receives the request and, without proper sanitization, constructs a file path using the attacker-controlled filename and saves the uploaded file to the specified location.
5. The server attempts to pass the file to another internal API.
6. Once the file is successfully processed by the internal API, the server attempts to remove the file using os.remove(file_path) with the attacker-controlled path.
7. Due to the path traversal vulnerability, the server deletes the file at the attacker-specified location on the filesystem.

Impact

Successful exploitation of this vulnerability allows an attacker to delete arbitrary files on the system that the Open WebUI user has permissions to modify. This can lead to denial of service, data loss, or potentially be chained with other vulnerabilities to achieve arbitrary code execution if the attacker is able to overwrite critical system files. While the source mentions it might be possible to create a race condition, this was not validated.

Recommendation

• Apply the vendor-provided patch or upgrade to a version of Open WebUI greater than 0.1.105, which incorporates the recommended mitigation (https://github.com/advisories/GHSA-j3fw-wc48-29g3).
• Deploy the Sigma rule “Detect Open WebUI Path Traversal Upload Attempt” to identify malicious requests attempting to exploit CVE-2026-44565.
• Monitor web server logs for HTTP POST requests to the /ollama/models/upload endpoint containing filenames with path traversal sequences to identify potential exploitation attempts.