{"data":{"id":"445f8336-b67b-460d-990e-62304d2f9830","title":"GHSA-jjp7-g2jw-wh3j: Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite","summary":"Open WebUI's file batch processing endpoint lacks an ownership check, allowing any authenticated user to overwrite files in shared knowledge bases by knowing their IDs. An attacker can then poison the RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) system, causing the LLM to serve the attacker's malicious content to other users.","solution":"Add an ownership verification check before writing files. The source suggests this code:\n\nfor file in form_data.files:\n db_file = Files.get_file_by_id(file.id)\n if not db_file or (db_file.user_id != user.id and user.role != \"admin\"):\n file_errors.append(BatchProcessFilesResult(\n file_id=file.id, status=\"failed\",\n error=\"Permission denied: not file owner\",\n ))\n continue\n\nThis verifies that only the file's owner or an admin can modify it before the write operation proceeds.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-jjp7-g2jw-wh3j","publishedAt":"2026-03-27T15:34:26.000Z","cveId":"CVE-2026-28788","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":["open-webui@< 0.8.6 (fixed: 0.8.6)"],"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Open WebUI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00036,"patchAvailable":true,"disclosureDate":"2026-03-27T15:34:26.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"rag","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0020","AML.T0051.001"]}}