GHSA-jjp7-g2jw-wh3j: Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
Summary
Open WebUI's file batch processing endpoint lacks an ownership check, allowing any authenticated user to overwrite files in shared knowledge bases by knowing their IDs. An attacker can then poison the RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) system, causing the LLM to serve the attacker's malicious content to other users.
Solution / Mitigation
Add an ownership verification check before writing files. The source suggests this code: for file in form_data.files: db_file = Files.get_file_by_id(file.id) if not db_file or (db_file.user_id != user.id and user.role != "admin"): file_errors.append(BatchProcessFilesResult( file_id=file.id, status="failed", error="Permission denied: not file owner", )) continue This verifies that only the file's owner or an admin can modify it before the write operation proceeds.
Vulnerability Details
EPSS: 0.0%
Yes
March 27, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://github.com/advisories/GHSA-jjp7-g2jw-wh3j
First tracked: March 27, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%