Cyber Resilience

CVE-2026-45402

HighPublic PoC

Published: 15 May 2026

Published
15 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0035 26.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-45402 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Openwebui Open Webui. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that…

more

the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, open webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

CWE-639 IDOR on file_id parameters directly enables unauthorized read (exfil) and write (overwrite) of other users' private files via the RAG endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28788Same product: Openwebui Open Webui
CVE-2026-45349Same product: Openwebui Open Webui
CVE-2026-44570Same product: Openwebui Open Webui
CVE-2026-45398Same product: Openwebui Open Webui
CVE-2026-45671Same product: Openwebui Open Webui
CVE-2026-44552Same product: Openwebui Open Webui
CVE-2026-45301Same product: Openwebui Open Webui
CVE-2026-44554Same product: Openwebui Open Webui
CVE-2026-29070Same product: Openwebui Open Webui
CVE-2026-44569Same product: Openwebui Open Webui

Affected Assets

openwebui
open webui
≤ 0.9.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References