File Content Overwrite Vulnerability in Open WebUI by Open WebUI
CVE-2026-28788

7.1HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-28788?

Prior to version 0.8.6, Open WebUI allows authenticated users to exploit a file content overwrite vulnerability. This issue arises from the lack of ownership checks in the POST /api/v1/retrieval/process/files/batch endpoint. An attacker can obtain file UUIDs through the GET /api/v1/knowledge/{id}/files endpoint, enabling them to overwrite file contents they should only have read access to. This could lead to the manipulation of information presented by the platform, as the altered content is subsequently served to the language model, giving the attacker control over the output delivered to other users.

Affected Version(s)

open-webui < 0.8.6

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-28788 Data

JSON

Open-webui

What is CVE-2026-28788?

Affected Version(s)

References

CVSS V3.1

Timeline