CVE-2026-59217 in Open WebUI
Summary
by MITRE • 07/09/2026
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability described represents a critical access control flaw within the Open WebUI platform that undermines the integrity of its knowledge base management system. This issue existed prior to version 0.10.0 and demonstrates a significant weakness in the platform's authorization mechanisms, specifically affecting how file uploads are processed and linked to knowledge bases. The vulnerability stems from inconsistent security checks applied during different upload pathways within the application's API structure.
The technical flaw manifests when users with read-only permissions attempt to upload files through the metadata.knowledge_id parameter pathway. Unlike the standard /api/v1/knowledge//file/add endpoint which properly validates write access before permitting file addition, this alternative upload route bypasses critical authorization checks. The system automatically links uploaded files to the specified knowledge base without verifying that the user possesses the necessary write permissions for that particular knowledge base. This behavior creates an arbitrary file addition vulnerability that allows unauthorized users to inject content into knowledge bases they should not be able to modify.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables potential attackers or malicious insiders to populate knowledge bases with unwanted files without proper authorization. This could lead to data poisoning attacks where unauthorized content is introduced into the system, potentially compromising the accuracy and reliability of information stored within these knowledge bases. The vulnerability affects the platform's ability to maintain proper access controls and could enable further exploitation if combined with other weaknesses in the system architecture.
This issue aligns with CWE-285 (Improper Authorization) and represents a classic case of insufficient access control validation within API endpoints. The vulnerability demonstrates how different code paths within the same application can have inconsistent security checks, creating potential attack vectors that bypass intended authorization mechanisms. From an ATT&CK perspective, this weakness maps to T1078 (Valid Accounts) and T1566 (Phishing) as it could enable attackers to leverage legitimate user accounts to perform unauthorized file operations within the knowledge management system.
The fix implemented in version 0.10.0 addresses this by ensuring consistent authorization checks across all file upload pathways, requiring proper write access verification regardless of the specific API endpoint used for file addition. This remediation aligns with security best practices that mandate uniform access control validation throughout application components and reinforces the principle of least privilege enforcement. Organizations using Open WebUI should prioritize updating to version 0.10.0 or later to mitigate this vulnerability and maintain proper access controls within their self-hosted AI platform infrastructure.