CVE-2026-54014 in Open WebUI
Summary
by MITRE • 06/23/2026
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator. The root cause is that serve_cache_file() in open_webui/main.py validates the resolved path with file_path.startswith(os.path.abspath(CACHE_DIR)) — without appending os.sep. This allows any path resolving to a sibling directory whose name begins with cache (e.g. cache_sibling, cache_backup, cached_models) to pass validation. This vulnerability is fixed in 0.9.6.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/23/2026
The Open WebUI platform represents a self-hosted artificial intelligence solution designed for offline operation, making it a critical component in environments where network isolation and data privacy are paramount. However, prior to version 0.9.6, this platform contained a significant path traversal vulnerability that could compromise the security of authenticated users. This vulnerability stems from inadequate validation mechanisms within the cache file serving endpoint, creating a potential attack vector that could allow unauthorized access to sensitive files outside the intended cache directory boundaries.
The technical flaw manifests in the serve_cache_file() function located within open_webui/main.py, where the path validation logic employs an incomplete containment check. Specifically, the implementation validates the resolved file path using file_path.startswith(os.path.abspath(CACHE_DIR)) without incorporating a trailing path separator character. This seemingly minor omission creates a critical security gap that allows attackers to bypass the intended directory restrictions. The vulnerability occurs because the startswith method performs prefix matching rather than exact directory matching, enabling malicious paths that begin with the cache directory name to pass validation even when they resolve to files in sibling directories.
The operational impact of this vulnerability extends beyond simple file access, as authenticated users can leverage this flaw to read arbitrary files from neighboring directories. Attackers could exploit paths such as cache_sibling, cache_backup, or cached_models where the directory names begin with "cache" but represent different directory structures. This allows for potential information disclosure of sensitive configuration files, authentication credentials, or other system artifacts that might be stored in adjacent directories. The vulnerability affects any user who has authenticated access to the platform, making it particularly concerning in multi-user environments where privilege separation is essential.
This security weakness aligns with CWE-22 Path Traversal and can be categorized under ATT&CK technique T1059 Command and Scripting Interpreter, as it enables unauthorized file reading through legitimate platform functionality. The vulnerability represents a classic example of improper input validation where the containment check fails to properly isolate directory boundaries. Organizations using Open WebUI versions prior to 0.9.6 face significant risk of data exposure, particularly in scenarios where the cache directory might contain sensitive information or where adjacent directories house configuration files with credentials or other confidential data.
The fix implemented in version 0.9.6 addresses this vulnerability by properly implementing path containment through the addition of os.sep to the startswith validation check. This ensures that the path validation operates on exact directory boundaries rather than simple prefix matching, preventing traversal attacks against sibling directories whose names begin with the cache directory designation. Security teams should prioritize updating to version 0.9.6 or later to remediate this vulnerability and maintain the integrity of their self-hosted AI platform deployments. Organizations should also consider implementing additional monitoring for unauthorized file access patterns and conduct regular security assessments to identify similar validation flaws in other components of their infrastructure.