{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/open-webui/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Open WebUI"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","code-execution","authorization"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI's tool update endpoint (\u003ccode\u003ePOST /api/v1/tools/id/{id}/update\u003c/code\u003e) lacks the \u003ccode\u003eworkspace.tools\u003c/code\u003e permission check that is enforced on the tool creation endpoint. This flaw permits a user, explicitly denied tool management permissions, to replace a tool's server-side Python code and execute it. The vulnerability breaks the intended security policy where \u003ccode\u003eworkspace.tools\u003c/code\u003e is the trust boundary for code execution. A \u003ccode\u003ewrite\u003c/code\u003e access grant on a single tool is sufficient to bypass \u003ccode\u003eworkspace.tools\u003c/code\u003e entirely, leading to code execution by an untrusted user. This vulnerability exists in the \u003ccode\u003emain\u003c/code\u003e branch of the Open WebUI project.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator deploys Open WebUI with the default configuration.\u003c/li\u003e\n\u003cli\u003eThe administrator enables \u003ccode\u003eworkspace.tools\u003c/code\u003e permission for a trusted user, Alice.\u003c/li\u003e\n\u003cli\u003eAlice creates a tool with benign Python code.\u003c/li\u003e\n\u003cli\u003eAlice grants \u003ccode\u003ewrite\u003c/code\u003e access to the tool to an untrusted user, Bob, for collaboration purposes.\u003c/li\u003e\n\u003cli\u003eThe administrator disables the global \u003ccode\u003eworkspace.tools\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eBob updates the tool's content via the \u003ccode\u003ePOST /api/v1/tools/id/{id}/update\u003c/code\u003e endpoint with malicious Python code.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003eworkspace.tools\u003c/code\u003e check, the malicious code is executed on the server.\u003c/li\u003e\n\u003cli\u003eBob achieves code execution and potentially gains unauthorized access to sensitive information or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an untrusted user to bypass intended security restrictions and execute arbitrary code on the Open WebUI server. Successful exploitation can lead to privilege escalation, potentially granting the attacker full control over the Open WebUI instance and access to sensitive data. The impact includes potential data breaches, system compromise, and unauthorized access to connected systems. The vulnerability affects all installations where an administrator has granted write access to tools to users without \u003ccode\u003eworkspace.tools\u003c/code\u003e permissions, even if the global \u003ccode\u003eworkspace.tools\u003c/code\u003e permission is subsequently revoked.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by Open WebUI to re-introduce the \u003ccode\u003eworkspace.tools\u003c/code\u003e permission check on the tool update endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Tool Update Endpoint Bypass\u003c/code\u003e to detect attempts to exploit this vulnerability based on request paths.\u003c/li\u003e\n\u003cli\u003eReview existing user permissions and revoke write access to tools for any untrusted users who do not have the \u003ccode\u003eworkspace.tools\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/api/v1/tools/id/{id}/update\u003c/code\u003e endpoint (category \u003ccode\u003ewebserver\u003c/code\u003e) originating from unexpected IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:37:32Z","date_published":"2026-05-14T20:37:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-privesc/","summary":"Open WebUI is vulnerable to privilege escalation and code execution because a missing authorization check on the tool update endpoint allows a user with write access to a tool to replace the tool's server-side Python content and trigger execution, bypassing the intended `workspace.tools` security boundary.","title":"Open WebUI Missing Authorization on Tool Update Endpoint Allows Privilege Escalation to Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Open WebUI"],"_cs_severities":["high"],"_cs_tags":["idor","authorization_bypass","data_manipulation"],"_cs_type":"advisory","_cs_vendors":["Open Web UI"],"content_html":"\u003cp\u003eOpen WebUI, a web interface for language models, is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in its Retrieval API. This flaw, identified in commit \u003ccode\u003e4d058a125\u003c/code\u003e (v0.8.11) on March 26, 2026, allows authenticated users to bypass knowledge base access controls. Specifically, the \u003ccode\u003e_validate_collection_access\u003c/code\u003e function fails to properly validate access to knowledge base collections, which use UUIDs as collection names. As a result, an attacker who knows the UUID of a private knowledge base can read its contents, inject malicious content, or even overwrite the entire knowledge base through the retrieval query endpoints. This vulnerability exists because the validation function only checks for \u0026quot;user-memory-\u003cem\u003e\u0026quot; and \u0026quot;file-\u003c/em\u003e\u0026quot; prefixes, leaving knowledge base UUIDs unchecked. This vulnerability is reachable in default configurations, affecting any non-admin account.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains an authenticated account on the Open WebUI instance.\u003c/li\u003e\n\u003cli\u003eVictim user creates a private knowledge base containing sensitive information.\u003c/li\u003e\n\u003cli\u003eAttacker discovers the UUID of the victim's knowledge base through methods such as shared workspaces, model metadata leakage via the \u003ccode\u003e/api/models/list\u003c/code\u003e endpoint, URL leakage, or RAG citation metadata in shared chats.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious POST request to \u003ccode\u003e/api/v1/retrieval/query/doc\u003c/code\u003e or \u003ccode\u003e/api/v1/retrieval/query/collection\u003c/code\u003e with the victim's knowledge base UUID as the \u003ccode\u003ecollection_name\u003c/code\u003e, bypassing authorization checks and reading the contents of the knowledge base.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a POST request to \u003ccode\u003e/api/v1/retrieval/process/text\u003c/code\u003e with the victim's knowledge base UUID as the \u003ccode\u003ecollection_name\u003c/code\u003e to inject attacker-controlled content into the knowledge base.\u003c/li\u003e\n\u003cli\u003eOr, the attacker crafts a POST request to \u003ccode\u003e/api/v1/retrieval/process/web\u003c/code\u003e or \u003ccode\u003e/api/v1/retrieval/process/youtube\u003c/code\u003e with the victim's knowledge base UUID as the \u003ccode\u003ecollection_name\u003c/code\u003e to overwrite the victim's entire knowledge base.\u003c/li\u003e\n\u003cli\u003eThe injected or replaced content is then used in downstream RAG processes, potentially leading to the exposure of sensitive information or prompt injection attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully compromises the confidentiality, integrity, and availability of the victim's knowledge base.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows unauthorized access to private knowledge bases, potentially exposing sensitive information. Attackers can inject malicious content, leading to integrity breaches and potential prompt injection attacks. The ability to overwrite knowledge bases leads to availability issues and data destruction. A successful attack can compromise the confidentiality, integrity, and availability of user data, potentially affecting all users of the Open WebUI instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unauthorized access to knowledge bases by monitoring API requests containing UUID-formatted \u003ccode\u003ecollection_name\u003c/code\u003e parameters: \u003ccode\u003eDetect Open WebUI Unauthorized Knowledge Base Access\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Knowledge Base Manipulation via Retrieval API\u003c/code\u003e to identify malicious POST requests to \u003ccode\u003e/api/v1/retrieval/process/*\u003c/code\u003e endpoints with knowledge base UUIDs as \u003ccode\u003ecollection_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply the remediation steps suggested in the original advisory by checking permission on the KB collection in the \u003ccode\u003e_validate_collection_access\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the vulnerable endpoints (\u003ccode\u003e/api/v1/retrieval/query/doc\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/query/collection\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/text\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/web\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/youtube\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/file\u003c/code\u003e, \u003ccode\u003e/api/v1/retrieval/process/files/batch\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:32:37Z","date_published":"2026-05-14T20:32:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/","summary":"Open WebUI is vulnerable to an IDOR vulnerability in its Retrieval API that bypasses knowledge base access controls, allowing any authenticated user who knows a private knowledge base UUID to read, inject content into, or overwrite another user's knowledge base.","title":"Open WebUI IDOR Vulnerability in Retrieval API Allows Unauthorized Access and Modification of Knowledge Bases","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-idor/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui"],"_cs_severities":["high"],"_cs_tags":["cors","rce","session-management","open-webui"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA critical vulnerability exists in Open WebUI version v0.3.10 due to a combination of CORS misconfiguration (GHSL-2024-174) and session management flaws (GHSL-2024-175). The CORS misconfiguration on multiple API endpoints allows arbitrary websites to make authenticated cross-site requests to Open WebUI. When combined with the failure to invalidate session cookies upon logout, this allows an attacker to perform a one-click attack, potentially gaining remote code execution on the Open WebUI instance.  The application, by default, runs as root within a Docker container, escalating the impact to a full container compromise.  This vulnerability affects users who have admin access to the \u003ccode\u003e/api/v1/functions\u003c/code\u003e endpoint, allowing execution of arbitrary code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious website (\u003ccode\u003eattacker.com\u003c/code\u003e) containing JavaScript code that exploits the CORS misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker lures an Open WebUI administrator to visit the malicious website.\u003c/li\u003e\n\u003cli\u003eThe JavaScript on the attacker's website bypasses CORS restrictions due to the \u003ccode\u003eallow_origins=[\u0026quot;*\u0026quot;]\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eThe malicious script sends an authenticated POST request to the \u003ccode\u003e/api/v1/functions/create\u003c/code\u003e endpoint, creating a malicious filter. This step requires the user to have an active Open WebUI session.\u003c/li\u003e\n\u003cli\u003eThe attacker's script then sends another POST request to \u003ccode\u003e/api/v1/functions/id/{filter_id}/toggle\u003c/code\u003e to activate the newly created filter, executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code injected by the filter executes a command (e.g., \u003ccode\u003ewhoami\u003c/code\u003e) and writes the output to a file (\u003ccode\u003e/tmp/whoami.txt\u003c/code\u003e) on the Open WebUI server.\u003c/li\u003e\n\u003cli\u003eBecause Open WebUI reuses session cookies after logout, the attacker can potentially regain access even if the admin has logged out, provided the browser hasn't been closed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the Open WebUI server, with the potential to fully compromise the Docker container due to the default root user context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Open WebUI server. Given the default configuration where Open WebUI runs as root within a Docker container, this can lead to a complete compromise of the container and potentially the host system. The vulnerability affects any Open WebUI instance with an administrator who visits the malicious website, making it a widespread risk. The lack of session invalidation post-logout increases the window of opportunity for attackers, even if the admin user is no longer actively using the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eModify the Open WebUI CORS configuration to remove the permissive \u003ccode\u003eallow_origins=[\u0026quot;*\u0026quot;]\u003c/code\u003e and implement a more restrictive policy. Allow dynamic setup of allowed origins via the administration panel or a configuration file, as described in the remediation guidance for GHSL-2024-174.\u003c/li\u003e\n\u003cli\u003eImplement proper session invalidation upon logout. Ensure new cookies are generated for every session, and invalidate/remove previous session cookies from the browser's storage upon logout, as described in the remediation guidance for GHSL-2024-175.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Open WebUI Function Creation via API\u0026quot; to identify potential exploitation attempts targeting the \u003ccode\u003e/api/v1/functions/create\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:05:41Z","date_published":"2026-05-11T14:05:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-cors-rce/","summary":"Open WebUI version v0.3.10 has a CORS misconfiguration and session validation issue that can lead to remote code execution due to a one-click attack against admin users.","title":"Open WebUI CORS Misconfiguration and Session Validation Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-cors-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Open WebUI"],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-deletion","web-application"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI version 0.1.105 is vulnerable to a path traversal vulnerability (CVE-2026-44565) affecting the \u003ccode\u003e/ollama/models/upload\u003c/code\u003e API route. This vulnerability, discovered by Taylor Pennington of KoreLogic, Inc., allows an attacker to upload files with arbitrary names to the server. Due to the lack of filename sanitization, an attacker can use dot-segments (../) to traverse the filesystem and write files to locations outside the intended upload directory. After the file is written successfully, the application attempts to remove the file using \u003ccode\u003eos.remove(file_path)\u003c/code\u003e, leading to arbitrary file deletion. This issue can lead to denial of service or potentially be chained with other vulnerabilities for more severe impact if the attacker can overwrite critical system files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the Open WebUI HTTP interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/ollama/models/upload\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a file attachment with a filename containing path traversal sequences (e.g., \u003ccode\u003e../../../../../../../tmp/DELETE_ME\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server receives the request and, without proper sanitization, constructs a file path using the attacker-controlled filename and saves the uploaded file to the specified location.\u003c/li\u003e\n\u003cli\u003eThe server attempts to pass the file to another internal API.\u003c/li\u003e\n\u003cli\u003eOnce the file is successfully processed by the internal API, the server attempts to remove the file using \u003ccode\u003eos.remove(file_path)\u003c/code\u003e with the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the server deletes the file at the attacker-specified location on the filesystem.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to delete arbitrary files on the system that the Open WebUI user has permissions to modify. This can lead to denial of service, data loss, or potentially be chained with other vulnerabilities to achieve arbitrary code execution if the attacker is able to overwrite critical system files. While the source mentions it might be possible to create a race condition, this was not validated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patch or upgrade to a version of Open WebUI greater than 0.1.105, which incorporates the recommended mitigation (\u003ca href=\"https://github.com/advisories/GHSA-j3fw-wc48-29g3)\"\u003ehttps://github.com/advisories/GHSA-j3fw-wc48-29g3)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Open WebUI Path Traversal Upload Attempt\u0026quot; to identify malicious requests attempting to exploit CVE-2026-44565.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to the \u003ccode\u003e/ollama/models/upload\u003c/code\u003e endpoint containing filenames with path traversal sequences to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:05:23Z","date_published":"2026-05-11T14:05:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-path-traversal/","summary":"Open WebUI is vulnerable to path traversal (CVE-2026-44565), allowing attackers to upload files to arbitrary locations on the web server's filesystem and subsequently delete them due to insufficient filename sanitization in the `/ollama/models/upload` API endpoint.","title":"Open WebUI Arbitrary File Write/Delete via Path Traversal","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Open-Webui","version":"https://jsonfeed.org/version/1.1"}