CVE-2026-59212 in Open WebUIinfo

Summary

by MITRE • 07/09/2026

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _verify_knowledge_file_access only checked read access while file write and delete routes later trusted object-derived access through writable model meta.knowledge entries, allowing a user with read-only knowledge file access to upgrade to file write or delete operations. This issue is fixed in version 0.10.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability exists within the Open WebUI platform version 0.9.6 through 0.10.0 where the authorization mechanism fails to properly validate file operations across different privilege levels. The core flaw lies in the _verify_knowledge_file_access function which only validates read permissions for knowledge files but does not enforce proper access controls for write and delete operations. This creates a critical authorization bypass vulnerability that allows attackers with minimal read-only access to escalate their privileges and perform destructive file operations.

The technical implementation of this vulnerability stems from inconsistent security checks within the platform's access control system. When users attempt to perform file operations such as writing or deleting knowledge files, the system relies on metadata stored in model meta.knowledge entries that may have been derived from previously granted read access. This design flaw creates a trust relationship between read and write operations without proper verification of elevated privileges. The vulnerability aligns with CWE-284 which addresses improper access control and represents a classic case of privilege escalation through insufficient authorization checks.

The operational impact of this vulnerability is significant as it enables unauthorized users to modify or delete critical knowledge files within the Open WebUI platform. Attackers who initially gain read-only access to knowledge files can exploit this weakness to perform write operations that may include injecting malicious content, modifying existing data, or deleting important information. This could result in complete data corruption, loss of intellectual property, or disruption of AI platform functionality. The vulnerability affects all users who have been granted read access to knowledge files, making it particularly dangerous in multi-user environments where privilege separation is expected.

Mitigation strategies should focus on implementing proper authorization checks that validate all file operations against the user's actual privileges rather than trusting derived metadata from previous access attempts. The fix implemented in version 0.10.0 addresses this by ensuring that write and delete operations require explicit verification of appropriate permissions, regardless of any previous read access. Organizations should immediately upgrade to version 0.10.0 or later and conduct thorough audits of existing knowledge file permissions to identify any potential unauthorized access. This vulnerability demonstrates the importance of maintaining consistent security controls across all operations within a platform and aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through improper access control mechanisms.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!