8.1

CVE-2026-29070

Exploit

EPSS 0.04%
Veröffentlicht 26.03.2026 23:39:33
Zuletzt bearbeitet 01.04.2026 16:10:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openwebui ≫ Open Webui Version < 0.8.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.115

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-29070

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-29070

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-29070

EUVD