CVE-2026-29070HIGH 8.1EPSS p16.2%

CVE-2026-29070CVE-2026-29070

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.25% probability of exploitation · percentile 16.2% · 2026-06-19T12:03:05Z
Published2026-03-27
Last modified2026-04-01

Underlying weaknesses· 1

CWE-862

References

  1. https://github.com/open-webui/open-webui/security/advisories/GHSA-26gm-93rw-cchf

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45301
CVE
CVE-2026-45671
CVE
CVE-2026-45402
CVE
CVE-2026-44570
CVE
CVE-2026-44565
CVE
CVE-2026-44566
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.