GHSA-26g9-27vm-x3q8: Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
Summary
Any authenticated user can permanently delete files owned by other users in Open WebUI when those files are referenced in shared chats, because the authorization check (the code that verifies whether a user should be allowed to perform an action) ignores both the user's identity and the type of operation being requested. File IDs can be discovered by users with read access to knowledge bases (repositories of documents), making this vulnerability practical to exploit.
Solution / Mitigation
Gate the shared-chat branch on `access_type` so it only authorizes read operations: `if access_type == "read": chats = Chats.get_shared_chats_by_file_id(file_id, db=db) if chats: return True`. This ensures that only read requests pass the authorization check when a file is in a shared chat, while delete and write requests are blocked.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-26g9-27vm-x3q8
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%