GHSA-r472-mw7m-967f: Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
highvulnerabilityLLM-Specific
security
Summary
Open WebUI has a security flaw where authenticated users can access and modify other users' private files by exploiting two endpoints that don't properly check file ownership. In the first case, attackers can inject victim file IDs into their own folders to make the AI read private documents as context. In the second case, attackers can attach victim files to their own knowledge bases (collections of documents used for RAG, retrieval-augmented generation) to read and overwrite those files entirely.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 14, 2026
Classification
Attack Type
Data Extraction
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
OpenAI
Affected Packages
open-webui@<= 0.9.4 (fixed: 0.9.5)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-r472-mw7m-967f
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%