Attack Chain

1. An attacker authenticates to the Open WebUI web interface.
2. The attacker crafts an HTTP POST request to the /rag/api/v1/doc endpoint, initiating a file upload.
3. The attacker includes a malicious filename in the multipart form data, containing path traversal sequences (e.g., ../../../../../../../../../../tmp/pwned.txt).
4. The Open WebUI server receives the request and extracts the unsanitized filename from the HTTP POST request.
5. The server constructs a file path using the provided filename and the static UPLOAD_DIR variable.
6. The server proceeds to write the contents of the uploaded file to the constructed file path, effectively bypassing intended directory restrictions.
7. A malicious actor can overwrite existing system files, such as .ssh/authorized_keys for unauthorized system access.
8. Alternatively, an attacker uploads a malicious model as a pickled python object to achieve remote code execution.

Impact

Successful exploitation of this vulnerability, identified as CVE-2026-44566, can lead to arbitrary code execution on the server. An attacker could gain unauthorized access to the system, potentially leading to data breaches, system compromise, or denial of service. The vulnerable version, 0.1.105, is actively exploitable, and organizations using this version are at risk. The targeted platform observed during analysis was Debian GNU/Linux 12.

Recommendation

• Upgrade Open WebUI to a version beyond 0.1.123 which addresses the CVE-2026-44566 vulnerability.
• Implement input validation and sanitization on the server-side to prevent path traversal attacks during file uploads to mitigate the arbitrary file upload.
• Deploy the Sigma rule “Detect Open WebUI Path Traversal File Upload” to identify exploitation attempts in web server logs.
• Monitor web server logs for HTTP POST requests to the /rag/api/v1/doc endpoint with filenames containing path traversal sequences.