GHSA-wch8-mhj5-9frg: Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
Summary
Open WebUI has a security flaw where authenticated users can access other users' files through the `/api/chat/completions` endpoint. When a user sends an image request with a file ID (instead of a web link) in the `image_url` field, the server reads that file from disk without checking if the user owns it, then converts it to a format the AI can process. An attacker can exploit this by using another user's file ID to make the AI read and describe private files, leaking their content.
Vulnerability Details
EPSS: 0.0%
Yes
June 17, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://github.com/advisories/GHSA-wch8-mhj5-9frg
First tracked: June 17, 2026 at 02:01 PM
Classified by LLM (prompt v3) · confidence: 95%