File Access Control Flaw in Open WebUI Affects User Operations
CVE-2026-59212

5.4MEDIUM

Key Information:

Vendor

Open-webui

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59212?

An important security flaw exists in Open WebUI, an extensible self-hosted AI platform, where the _verify_knowledge_file_access function improperly checks permissions. This results in unauthorized users being able to escalate their access rights, allowing them to perform file write and delete operations on knowledge files they should only have read access to. This vulnerability affects all versions from 0.9.6 up to 0.10.0, and it has been resolved in version 0.10.0. Users are urged to upgrade to the latest version to mitigate potential risks.

Affected Version(s)

open-webui >= 0.9.6, < 0.10.0

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.