Volerion logoVolerion
Volerion logoVolerion

Open WebUI Knowledge Base File Deletion Vulnerability

Vulnerability

A vulnerability in Open WebUI prior to version 0.8.6 allows for unauthorized deletion of files from knowledge bases. The issue arises because the application fails to verify that a file being deleted actually belongs to the user's knowledge base. Instead, it only checks if the user has write access or is an admin. As a result, users can delete arbitrary files from any knowledge base, provided they know the file ID.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion from knowledge bases.

Reproduction

To reproduce this vulnerability, a user must have knowledge bases with files and create a collection. The user can then send a request to delete a file from a knowledge base that does not belong to them, using the file ID of a file in the victim's knowledge base. The request will be processed successfully, and the file will be deleted from the victim's knowledge base.

Remediation

Users are advised to update to Open WebUI version 0.8.6 or later, where this vulnerability has been patched.

Added: Mar 27, 2026, 12:22 AM
Updated: Mar 27, 2026, 12:22 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
4.2
remediation
7.7
relevance
4.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.