{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-28788/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Open WebUI"],"_cs_severities":["high"],"_cs_tags":["cve-2026-28788","open-webui","file-overwrite","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI is a self-hosted artificial intelligence platform designed for offline operation. A critical vulnerability exists in versions prior to 0.8.6. This vulnerability allows any authenticated user, regardless of their intended privileges, to overwrite the content of any file accessible by the platform. The flaw stems from a lack of ownership checks within the \u003ccode\u003ePOST /api/v1/retrieval/process/files/batch\u003c/code\u003e endpoint. This means a standard user with read access to a shared knowledge base can leverage the vulnerability to escalate their privileges and potentially influence the behavior of the language model (LLM). By obtaining file UUIDs and manipulating their content, an attacker can control the information served to the LLM via Retrieval-Augmented Generation (RAG), effectively poisoning the model's responses to other users. Upgrading to version 0.8.6 or later resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Open WebUI platform with a standard user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a shared knowledge base they have read access to.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/v1/knowledge/{id}/files\u003c/code\u003e to retrieve a list of file UUIDs within the knowledge base.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a target file UUID from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/api/v1/retrieval/process/files/batch\u003c/code\u003e endpoint, including the target file UUID and malicious content they wish to inject.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper ownership or permission checks, overwriting the original file content with the attacker's payload.\u003c/li\u003e\n\u003cli\u003eThe LLM, utilizing RAG, now serves the attacker-controlled content to other users who query the knowledge base.\u003c/li\u003e\n\u003cli\u003eThe attacker has successfully manipulated the LLM's responses and potentially gained unauthorized control over information dissemination within the platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-28788 allows any authenticated user to overwrite arbitrary files within Open WebUI. This leads to privilege escalation, where a standard user gains write access to files they should only have read access to. More critically, an attacker can manipulate the content served to the LLM via RAG, effectively poisoning the model and providing false or malicious information to other users. This could lead to data breaches, misinformation campaigns, or other security incidents, depending on the content and context of the LLM's usage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Open WebUI to version 0.8.6 or later to patch CVE-2026-28788.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI File Overwrite Attempt\u003c/code\u003e to monitor for suspicious \u003ccode\u003ePOST\u003c/code\u003e requests to the \u003ccode\u003e/api/v1/retrieval/process/files/batch\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement strict file access controls and ownership checks within the Open WebUI platform to prevent unauthorized file modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-open-webui-file-overwrite/","summary":"Open WebUI before version 0.8.6 allows any authenticated user to overwrite arbitrary file content via the `POST /api/v1/retrieval/process/files/batch` endpoint, leading to privilege escalation and potential manipulation of LLM responses.","title":"Open WebUI Authenticated File Overwrite Vulnerability (CVE-2026-28788)","url":"https://feed.craftedsignal.io/briefs/2024-01-open-webui-file-overwrite/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-28788","version":"https://jsonfeed.org/version/1.1"}