Open WebUI File Overwrite Vulnerability Allowing RAG Poisoning

A vulnerability in Open WebUI versions prior to 0.8.6 allows any authenticated user to overwrite the content of files by ID through the POST /api/v1/retrieval/process/files/batch endpoint. This endpoint lacks an ownership check, enabling regular users with read access to a shared knowledge base to obtain file UUIDs via GET /api/v1/knowledge/{id}/files. Once the UUIDs are acquired, these users can overwrite the files, escalating their access from read to write. The modified content is then delivered to the language model via retrieval-augmented generation (RAG), allowing the attacker to control the information shared with other users.

Impact

Exploitation of this vulnerability leads to unauthorized file content modification, with the changes being served to the language model and influencing responses to other users. This could include injecting instructions for the model to follow, potentially causing further exploitation depending on the available tools in the deployment, such as a code interpreter or function calling. Additionally, the vulnerability allows for silent data corruption, as the original file content is permanently replaced without any notification to the file owner or other users.

Reproduction

To reproduce this vulnerability, first, upload a file to a knowledge base shared with read access. Then, use a regular user account to retrieve the file UUIDs from the knowledge base. Once the UUIDs are obtained, the vulnerability can be exploited by sending a POST request to the /api/v1/retrieval/process/files/batch endpoint, including the target file UUID and the new content to overwrite it. After the file is overwritten, the changes can be verified by checking the file through the knowledge base, which will reflect the injected content.

Remediation

Users can update to Open WebUI version 0.8.6 or later, where this vulnerability has been patched.