{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45402/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.9.4)"],"_cs_severities":["high"],"_cs_tags":["open-webui","file-access","privilege-escalation","cve-2026-45402"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpen WebUI versions 0.9.4 and earlier are susceptible to a cross-user file access vulnerability. The vulnerability stems from a lack of proper authorization checks when handling user-supplied \u003ccode\u003efile_id\u003c/code\u003e values in the Folder Knowledge and Knowledge-Base Attach endpoints. An authenticated attacker can exploit this flaw to access and potentially overwrite files belonging to other users by manipulating folder knowledge or attaching malicious files to knowledge bases. The vulnerability was reported on May 14, 2026, and affects systems where Open WebUI is deployed. Exploitation requires knowledge of the victim\u0026rsquo;s file UUID, which, while not directly enumerable, may leak through normal usage patterns, such as chat sources, shared chat citations, URL paths, browser history, and export/share flows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Open WebUI application.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the UUID of a target file belonging to another user through various means, such as shared chats, URL paths, or browser history.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/v1/folders/\u0026lt;attacker_folder_id\u0026gt;/update\u003c/code\u003e endpoint (Path 1) or \u003ccode\u003e/api/v1/knowledge/\u0026lt;kb_id\u0026gt;/file/add\u003c/code\u003e endpoint (Path 2).\u003c/li\u003e\n\u003cli\u003eIn Path 1, the attacker includes a \u003ccode\u003edata\u003c/code\u003e payload with a \u003ccode\u003efiles\u003c/code\u003e array containing the victim\u0026rsquo;s file UUID, structured as \u003ccode\u003e{\u0026quot;data\u0026quot;: {\u0026quot;files\u0026quot;: [{\u0026quot;id\u0026quot;: \u0026quot;\u0026lt;victim_file_id\u0026gt;\u0026quot;, \u0026quot;type\u0026quot;: \u0026quot;file\u0026quot;}]}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn Path 2, the attacker provides the victim file UUID as the \u003ccode\u003efile_id\u003c/code\u003e parameter in the request body: \u003ccode\u003e{\u0026quot;file_id\u0026quot;:\u0026quot;$VICTIM_FILE_ID\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf exploiting path 2, the attacker creates a new knowledge base using the /api/v1/knowledge/create endpoint.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper authorization checks on the \u003ccode\u003efile_id\u003c/code\u003e, attaches the victim\u0026rsquo;s file to the attacker\u0026rsquo;s folder or knowledge base.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access the victim\u0026rsquo;s file content through RAG flows (Path 1) or the \u003ccode\u003e/api/v1/files/{id}/content\u003c/code\u003e endpoint (Path 2) and, in Path 2, overwrite it using the \u003ccode\u003e/api/v1/files/{id}/data/content/update\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to read the contents of any other user\u0026rsquo;s private uploaded file, given knowledge of the file UUID. In the case of Path 2 (knowledge-base attach), the attacker can also overwrite the victim\u0026rsquo;s file content, leading to data tampering and potential misinformation. This can lead to unauthorized data access, data breaches, and integrity compromises. There is no direct availability impact, as the file rows are not deleted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by validating the supplied file_id against the caller\u0026rsquo;s read access before attaching the file in every writer function (backend/open_webui/routers/folders.py, backend/open_webui/routers/knowledge.py).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Knowledge Base File Add\u003c/code\u003e to detect exploitation attempts targeting the Knowledge-Base Attach endpoint (Path 2).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Open WebUI Folder Update with File Injection\u003c/code\u003e to detect exploitation attempts targeting the Folder Knowledge ingestion path (Path 1).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Open WebUI that addresses CVE-2026-45402.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:31:27Z","date_published":"2026-05-14T20:31:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-file-access/","summary":"Open WebUI is vulnerable to cross-user file access due to unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints, allowing authenticated users to exfiltrate or overwrite other users' private files given the file UUID (CVE-2026-45402).","title":"Open WebUI Cross-User File Access Vulnerability (CVE-2026-45402)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45402","version":"https://jsonfeed.org/version/1.1"}