Open WebUI Missing Permission Check in Files API Endpoints Allows Unauthorized File Access and Deletion

A vulnerability in Open WebUI versions prior to 0.3.16 allows authenticated users to bypass permission checks in the files API. This flaw enables users to list, access, and delete files uploaded by any user on the platform. The issue arises because the API endpoints do not verify file ownership, allowing unauthorized manipulation of files.

Impact

Exploitation of this vulnerability compromises the confidentiality of user-uploaded files by allowing unauthorized access to sensitive information. Additionally, the ability to delete files disrupts the integrity of the user's data.

Reproduction

To reproduce this vulnerability, log in as an authenticated user without elevated permissions. Then, send a GET request to the '/api/v1/files/' endpoint to list all files uploaded by all users. Afterward, access the content of any file by sending a GET request to '/api/v1/files/{id}/content', replacing '{id}' with the file's ID. Finally, delete any file by sending a DELETE request to '/api/v1/files/{id}', again replacing '{id}' with the file's ID.

Remediation

Users are advised to update to Open WebUI version 0.3.16 or later, where this vulnerability has been fixed.