{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/open-webui-formerly-ollama-webui/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Open WebUI (Formerly Ollama WebUI)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-upload","web-application"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI version 0.1.105, formerly known as Ollama WebUI, is susceptible to an arbitrary file upload and path traversal vulnerability. Discovered by Jaggar Henry \u0026amp; Sean Segreti of KoreLogic, Inc. in March 2024, this flaw allows an attacker to upload files to arbitrary locations on the web server\u0026rsquo;s filesystem. The vulnerability stems from the application\u0026rsquo;s failure to properly validate or sanitize filenames during file uploads to the \u003ccode\u003e/rag/api/v1/doc\u003c/code\u003e endpoint. By exploiting this, malicious actors can use dot-segments (e.g., \u003ccode\u003e../../\u003c/code\u003e) in the file path to traverse out of the intended uploads directory. Successful exploitation enables the uploading of malicious models, such as pickled Python objects, or the modification of system files like \u003ccode\u003eauthorized_keys\u003c/code\u003e for SSH access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Open WebUI web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/rag/api/v1/doc\u003c/code\u003e endpoint, initiating a file upload.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a malicious filename in the multipart form data, containing path traversal sequences (e.g., \u003ccode\u003e../../../../../../../../../../tmp/pwned.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Open WebUI server receives the request and extracts the unsanitized filename from the HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe server constructs a file path using the provided filename and the static \u003ccode\u003eUPLOAD_DIR\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003eThe server proceeds to write the contents of the uploaded file to the constructed file path, effectively bypassing intended directory restrictions.\u003c/li\u003e\n\u003cli\u003eA malicious actor can overwrite existing system files, such as \u003ccode\u003e.ssh/authorized_keys\u003c/code\u003e for unauthorized system access.\u003c/li\u003e\n\u003cli\u003eAlternatively, an attacker uploads a malicious model as a pickled python object to achieve remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability, identified as CVE-2026-44566, can lead to arbitrary code execution on the server. An attacker could gain unauthorized access to the system, potentially leading to data breaches, system compromise, or denial of service. The vulnerable version, 0.1.105, is actively exploitable, and organizations using this version are at risk. The targeted platform observed during analysis was Debian GNU/Linux 12.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Open WebUI to a version beyond 0.1.123 which addresses the CVE-2026-44566 vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent path traversal attacks during file uploads to mitigate the arbitrary file upload.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Open WebUI Path Traversal File Upload\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to the \u003ccode\u003e/rag/api/v1/doc\u003c/code\u003e endpoint with filenames containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T18:30:00Z","date_published":"2024-07-03T18:30:00Z","id":"/briefs/2024-07-open-webui-upload-traversal/","summary":"Open WebUI version 0.1.105 is vulnerable to arbitrary file upload and path traversal, allowing attackers to upload files to arbitrary locations on the web server's filesystem by exploiting a lack of filename validation.","title":"Open WebUI Arbitrary File Upload and Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-07-open-webui-upload-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Open WebUI (Formerly Ollama WebUI)","version":"https://jsonfeed.org/version/1.1"}