CVE intelligence and bounded remediation

CVE-2026-54012 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline

High CVSS 7.1

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two places: the built-in view_file tool reads the file's extracted text, and has_access_to_file()'s model branch authorizes the file content and file delete endpoints. A malicious model owner can therefore attach another user's file ID to their model metadata and read or delete that private file. This vulnerability is fixed in 0.9.6.

Severity
High
CVSS
7.1 (3.1)
Published
2026-06-23
CISA KEV
Not currently listed
Ecosystem
software/application
Weaknesses
CWE-284, CWE-285, CWE-862

Affected products

  • openwebui / open_webui

Matched remediation archetype

Authorization bypass, IDOR, and cross-tenant access

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Map object and action authorization checks across API, UI, batch, import/export, and background-job paths.
  • Identify tenant, ownership, role, and policy boundaries for affected resources and administrative operations.
  • Use synthetic fixtures to compare intended access matrices without accessing another user's real data.

Remediate safely

  • Enforce server-side authorization at each resource access and state transition using the authenticated principal and trusted tenant context.
  • Scope data queries by tenant and ownership; treat client-supplied identifiers, roles, and policy claims as untrusted.
  • Add deny-by-default policy tests for horizontal and vertical access across every affected transport.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.