Back to overview

CVE-2026-59217

MEDIUM
4.3
CVSS 3.1
Description
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.

Metadata

CVE ID
CVE-2026-59217
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-02 21:05 UTC
Published
2026-07-09 16:51 UTC
Last updated
2026-07-09 16:51 UTC
Primary CWE
CWE-862
CWE-862: Missing Authorization
Vendor / Product
open-webui / open-webui
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
open-webui open-webui < 0.10.0
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862: Missing Authorization
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References (4)
Back to overview