CVE-2026-28788

CVE-2026-28788 affects Open WebUI, a self-hosted artificial intelligence platform designed for offline operation. In versions prior to 0.8.6, the vulnerability resides in the `POST /api/v1/retrieval/process/files/batch` endpoint, which allows any authenticated user to overwrite the content of any file by its ID without performing an ownership check. This issue, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and requirements for low privileges.

An attacker with regular authenticated access can exploit this by first obtaining file UUIDs from a shared knowledge base via the `GET /api/v1/knowledge/{id}/files` endpoint, assuming they have read access. They can then escalate privileges from read-only to write by submitting overwrite requests through the vulnerable batch endpoint. The manipulated file content is subsequently served to the large language model (LLM) via Retrieval-Augmented Generation (RAG), enabling the attacker to control the information presented to other users querying the knowledge base.

The official GitHub security advisory (GHSA-jjp7-g2jw-wh3j) confirms that Open WebUI version 0.8.6 addresses the issue by implementing proper ownership checks in the affected endpoint. Security practitioners should upgrade to at least version 0.8.6 and review access controls for shared knowledge bases.

This vulnerability is particularly relevant in AI/ML environments, as it undermines the integrity of RAG pipelines in self-hosted deployments, potentially leading to prompt injection or misinformation propagation without requiring elevated privileges. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-03-27.