<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-28788 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-28788/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-28788/feed.xml" rel="self" type="application/rss+xml"/><item><title>Open WebUI Authenticated File Overwrite Vulnerability (CVE-2026-28788)</title><link>https://feed.craftedsignal.io/briefs/2024-01-open-webui-file-overwrite/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-open-webui-file-overwrite/</guid><description>Open WebUI before version 0.8.6 allows any authenticated user to overwrite arbitrary file content via the `POST /api/v1/retrieval/process/files/batch` endpoint, leading to privilege escalation and potential manipulation of LLM responses.</description><content:encoded><![CDATA[<p>Open WebUI is a self-hosted artificial intelligence platform designed for offline operation. A critical vulnerability exists in versions prior to 0.8.6. This vulnerability allows any authenticated user, regardless of their intended privileges, to overwrite the content of any file accessible by the platform. The flaw stems from a lack of ownership checks within the <code>POST /api/v1/retrieval/process/files/batch</code> endpoint. This means a standard user with read access to a shared knowledge base can leverage the vulnerability to escalate their privileges and potentially influence the behavior of the language model (LLM). By obtaining file UUIDs and manipulating their content, an attacker can control the information served to the LLM via Retrieval-Augmented Generation (RAG), effectively poisoning the model's responses to other users. Upgrading to version 0.8.6 or later resolves this issue.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the Open WebUI platform with a standard user account.</li>
<li>The attacker identifies a shared knowledge base they have read access to.</li>
<li>The attacker sends a <code>GET</code> request to <code>/api/v1/knowledge/{id}/files</code> to retrieve a list of file UUIDs within the knowledge base.</li>
<li>The attacker selects a target file UUID from the list.</li>
<li>The attacker crafts a <code>POST</code> request to the <code>/api/v1/retrieval/process/files/batch</code> endpoint, including the target file UUID and malicious content they wish to inject.</li>
<li>The server processes the request without proper ownership or permission checks, overwriting the original file content with the attacker's payload.</li>
<li>The LLM, utilizing RAG, now serves the attacker-controlled content to other users who query the knowledge base.</li>
<li>The attacker has successfully manipulated the LLM's responses and potentially gained unauthorized control over information dissemination within the platform.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-28788 allows any authenticated user to overwrite arbitrary files within Open WebUI. This leads to privilege escalation, where a standard user gains write access to files they should only have read access to. More critically, an attacker can manipulate the content served to the LLM via RAG, effectively poisoning the model and providing false or malicious information to other users. This could lead to data breaches, misinformation campaigns, or other security incidents, depending on the content and context of the LLM's usage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade Open WebUI to version 0.8.6 or later to patch CVE-2026-28788.</li>
<li>Deploy the Sigma rule <code>Detect Open WebUI File Overwrite Attempt</code> to monitor for suspicious <code>POST</code> requests to the <code>/api/v1/retrieval/process/files/batch</code> endpoint.</li>
<li>Implement strict file access controls and ownership checks within the Open WebUI platform to prevent unauthorized file modifications.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-28788</category><category>open-webui</category><category>file-overwrite</category><category>privilege-escalation</category></item></channel></rss>