Cyber Resilience

CVE-2026-28788

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0002 5.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28788 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Openwebui Open Webui. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-28788 affects Open WebUI, a self-hosted artificial intelligence platform designed for offline operation. In versions prior to 0.8.6, the vulnerability resides in the `POST /api/v1/retrieval/process/files/batch` endpoint, which allows any authenticated user to overwrite the content of any file by its ID without performing an ownership check. This issue, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and requirements for low privileges.

An attacker with regular authenticated access can exploit this by first obtaining file UUIDs from a shared knowledge base via the `GET /api/v1/knowledge/{id}/files` endpoint, assuming they have read access. They can then escalate privileges from read-only to write by submitting overwrite requests through the vulnerable batch endpoint. The manipulated file content is subsequently served to the large language model (LLM) via Retrieval-Augmented Generation (RAG), enabling the attacker to control the information presented to other users querying the knowledge base.

The official GitHub security advisory (GHSA-jjp7-g2jw-wh3j) confirms that Open WebUI version 0.8.6 addresses the issue by implementing proper ownership checks in the affected endpoint. Security practitioners should upgrade to at least version 0.8.6 and review access controls for shared knowledge bases.

This vulnerability is particularly relevant in AI/ML environments, as it undermines the integrity of RAG pipelines in self-hosted deployments, potentially leading to prompt injection or misinformation propagation without requiring elevated privileges. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-03-27.

EU & UK References

Vulnerability details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a…

more

regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users. Version 0.8.6 patches the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, llm, open webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The authorization bypass in the public web API endpoint (POST /api/v1/retrieval/process/files/batch) directly enables exploitation of a public-facing application (T1190) to perform unauthorized overwrite of stored knowledge-base files (T1565.001), allowing tainted content to be served via RAG.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45398Same product: Openwebui Open Webui
CVE-2026-45402Same product: Openwebui Open Webui
CVE-2026-45671Same product: Openwebui Open Webui
CVE-2026-44570Same product: Openwebui Open Webui
CVE-2026-45349Same product: Openwebui Open Webui
CVE-2026-44569Same product: Openwebui Open Webui
CVE-2026-44567Same product: Openwebui Open Webui
CVE-2026-44551Same product: Openwebui Open Webui
CVE-2026-44552Same product: Openwebui Open Webui
CVE-2026-45400Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
≤ 0.8.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires systems to enforce approved authorizations for logical access to resources, directly preventing unauthorized file overwrites by implementing ownership checks on the vulnerable batch endpoint.

prevent

Enforces least privilege to ensure regular authenticated users lack write access to files in shared knowledge bases, mitigating privilege escalation from read to write.

detect

Monitors and verifies the integrity of files in RAG pipelines, detecting unauthorized content overwrites that could lead to misinformation in LLM responses.

References