File Upload Vulnerability in Open WebUI by Open WebUI
CVE-2026-44566

7.3HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44566?

Open WebUI, an offline self-hosted AI platform, contains a file upload vulnerability that allows attackers to exploit improper handling of file names. Prior to version 0.1.124, uploaded file names derived from the original HTTP request were not validated or sanitized, enabling the upload of files with dot-segments in the file path. This flaw potentially permits users to place files anywhere within the filesystem accessible by the web server user, posing significant security risks. The issue is resolved in version 0.1.124.

Affected Version(s)

open-webui < 0.1.124

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44566 Data

JSON

Open-webui

What is CVE-2026-44566?

Affected Version(s)

References

CVSS V3.1

Timeline