HIGH🇬🇧 English

CVE-2026-54010

CVSS 8.3v3.1pub. 2026-06-23upd. 2026-06-25

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has_access_to_file() treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file. This vulnerability is fixed in 0.9.6.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
  • Openwebui Open Webui

    APP
    Openwebui
    < 0.9.6
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-44551CRITICAL9.1PL ✓ten sam produkt

Open WebUI: pominięcie uwierzytelnienia LDAP przez puste hasło (Auth Bypass)

CVE-2024-8017CRITICAL9.0PL ✓ten sam produkt

XSS w Open WebUI — kradzież sesji i eskalacja uprawnień do admina

CVE-2024-7053CRITICAL9.0PL ✓ten sam produkt

Session fixation i kradzież sesji administratora w Open WebUI

CVE-2026-54007HIGH7.1ten sam produkt

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0....

CVE-2026-54008HIGH8.5ten sam produkt

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0....

CVE-2026-54010 — HIGH 8.3 | CVEbaza.pl