Open WebUI: Deleting files without permission

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

Open WebUI: Deleting files without permission

CVE-2026-29070

Summary

A security issue in Open WebUI allows users with write access to delete files they shouldn't be able to. This is fixed in version 0.8.6. Users should update to this version to prevent unauthorized file deletion.

Original title

Original description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.

nvd CVSS3.1 5.4

Vulnerability type

CWE-862 Missing Authorization

https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf

Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 27 Mar 2026